Solved Please help! That nasty Sirefef got me.

[Phasmos]

If anyone here (like the amazing Broni, for instance) can save my poor old computer from the havoc this demonic bit of code is wreaking, I'll be immensely grateful. Getting online is a horrible effort now, and who knows who is watching my every move?

I should probably assume that all my passwords and card numbers have been compromised, as well...?

Please, can someone help me get rid of this damn thing?? Thanks in advance...

- Christian

 

[Broni]

Welcome aboard

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

 

[Phasmos]

Hi Broni!

Thanks for your reply. Here are the logs you've requested. First, a little background, to make sense of what may seem like an inconclusive scan: Over the past few days, I've downloaded and run about a dozen antivirus and anti-malware/adware programs to try to get rid of this pest, including Avast (which, for the first day or two, kept informing me about every 5 minutes that it was successfully blocking rootkits and Trojans from at least 2 variants of Sirefef, though now it no longer does so... which leads me to believe that it has been bypassed or compromised somehow), MSE, TDSSkiller, and Combofix, among other things. The last thing I ran was called HitmanPro36, which identified and deleted a Trojan package.

There is still an active presence at work here, though, as Firefox takes at least 5 minutes to start, the cursor drags or freezes entirely for seconds at a time, and my desktop icons keep being inexplicably rearranged despite the Avast doo-hickey which insists that my "system is secured." Also, my firewall has been deactivated, and any attempt to restart it gets an error message stating that it cannot be activated due to "an unidentified problem."

In addition, I get two weird registry errors upon startup that say "Windows cannot locate the file "□□". This may be the result of my trying to clean up the registry manually before I realized what was actually happening, though I can't find any such file and thus can't delete it. I don't know what to do about this, either, but I’m not certain that it is related to the problem at hand.

Everything is running UNBELIEVABLY SLOWLY. It’s taken me hours to simply cut and paste this message into the window, and your server keeps timing out before my post can get thru. This is maddening.

Anyway, since that Hitman thing deleted the visible Trojan hit, Malwarebytes scan results appear to be clean, despite the obvious problems which are still evident. GMER scan worked, but DDS would not run at all (though I don’t believe I have any scripting protection running). The command line window opens for 1 second and then simply disappears.

MALWAREBYTES RESULTS:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.05.20.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.11
Ann :: HOME1 [administrator]

5/21/2012 10:24:30 PM
mbam-log-2012-05-21 (22-24-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 250039
Time elapsed: 29 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[Phasmos]

GMER RESULTS (Pt. 1):

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-22 05:22:40
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380011A rev.8.16
Running: ph4w7t0b.exe; Driver: C:\DOCUME~1\Ann\LOCALS~1\Temp\pxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xF769ADF8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xF7727A5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xF769B85E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xF76C7D5D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xF76A02E4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xF76A0330]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xF76A0422]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xF76C7711]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xF76A0252]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xF76A0374]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xF76A029A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xF76A03DC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xF769AE44]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xF76C8423]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xF76C86D9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xF769D9A8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xF76C828E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xF76C80F9]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xF7727B34]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xF769AAD6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xF769AE90]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xF769DD1C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xF769BB02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xF76A030E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xF76A0352]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xF76A0446]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xF76C7A6D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xF76A0278]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xF769D518]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xF76A03AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xF76A02C2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xF769D74C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xF76A0400]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xF7727CA0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xF76C7F74]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xF769B9CE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xF76C7DC6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF7731B68]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xF76C6D84]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xF769AEDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xF769AF28]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xF769AB46]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xF769ACEA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xF76C852A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xF769AC92]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xF769AD5A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0xF7727D60]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xF769AF74]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0xF7727BE0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF773DD92]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056BB88 4 Bytes CALL F769C19F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF90D9340, 0x121A5F, 0xF8000020]
.text win32k.sys!EngFreeUserMem + 674 BF8098E2 5 Bytes JMP F769F180 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFreeUserMem + 35D0 BF80C83E 5 Bytes JMP F769F07C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSurface + 45 BF8138D6 5 Bytes JMP F769F036 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 11D3 BF81C540 5 Bytes JMP F769E724 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngSetLastError + 79A8 BF8240B0 5 Bytes JMP F769DF84 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + F9C BF828A1A 5 Bytes JMP F769F2EA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 2C50 BF831465 5 Bytes JMP F769F4F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + B687 BF839E9C 5 Bytes JMP F769EF3C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + C2CF BF85173B 5 Bytes JMP F769DE66 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + F17 BF85BC5A 5 Bytes JMP F769E7E6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 3581 BF85E2C4 5 Bytes JMP F769E384 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 360C BF85E34F 5 Bytes JMP F769E562 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreatePalette + 88 BF85F5C2 5 Bytes JMP F769DE4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreatePalette + 5457 BF864991 5 Bytes JMP F769F0BA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 4128 BF873CC4 5 Bytes JMP F769E51C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetLastError + 1606 BF890F01 5 Bytes JMP F769E7FE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 26EE BF8944AC 5 Bytes JMP F769F232 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 583 BF894F84 5 Bytes JMP F769F450 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 3857 BF89C32B 5 Bytes JMP F769E70C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 4DEC BF89D8C0 5 Bytes JMP F769DFF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngEraseSurface + A9DB BF8C1E40 5 Bytes JMP F769E104 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1517 BF8CA2A2 5 Bytes JMP F769E1AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1797 BF8CA522 5 Bytes JMP F769E2E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + 3B3E BF8EBEF7 5 Bytes JMP F769DD52 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + CB46 BF8F4EFF 5 Bytes JMP F769E73C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 1A2D BF9136C2 5 Bytes JMP F769DF22 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 2601 BF914296 5 Bytes JMP F769E0B0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4F7A BF916C0F 5 Bytes JMP F769E67C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 194D BF946CFD 5 Bytes JMP F769F3A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012380, 0x25BA81, 0xF8000020]

 

[Phasmos]

GMER RESULTS (Pt. 2):

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[188] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[188] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[188] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[188] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\svchost.exe[188] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\System32\svchost.exe[188] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\System32\svchost.exe[188] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\System32\svchost.exe[188] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\System32\svchost.exe[188] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
.text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
.text C:\WINDOWS\System32\svchost.exe[472] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[472] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[472] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[472] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\svchost.exe[472] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\System32\svchost.exe[472] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\System32\svchost.exe[472] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\System32\svchost.exe[472] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\System32\svchost.exe[472] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
.text C:\WINDOWS\System32\smss.exe[600] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[672] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[672] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000701F8
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000703FC
.text C:\WINDOWS\system32\winlogon.exe[696] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\winlogon.exe[696] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\winlogon.exe[696] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\winlogon.exe[696] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\winlogon.exe[696] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\winlogon.exe[696] USER32.dll!UnhookWinEvent 7E4318AC

 

[Phasmos]

GMER RESULTS (Pt. 3):

5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\services.exe[740] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\services.exe[740] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[740] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\services.exe[740] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\services.exe[740] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\services.exe[740] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\services.exe[740] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\services.exe[740] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\services.exe[740] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
.text C:\Program Files\Bonjour\mDNSResponder.exe[932] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00451014
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00450804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00450A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00450C0C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00450E10
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 004501F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 004503FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00450600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00460804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00460A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00460600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 004601F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 004603FC
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 006C1014
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 006C0804
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 006C0A08
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 006C0C0C
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 006C0E10
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 006C01F8
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 006C03FC
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 006C0600
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 006D0804
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 006D0A08
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 006D0600
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 006D01F8
.text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 006D03FC

 

[Phasmos]

GMER RESULTS (Pt. 4):

.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1460] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1460] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1460] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[1528] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[1528] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1600] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\Explorer.EXE[1600] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1600] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\Explorer.EXE[1600] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\WINDOWS\Explorer.EXE[1600] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\WINDOWS\Explorer.EXE[1600] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\WINDOWS\Explorer.EXE[1600] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\WINDOWS\Explorer.EXE[1600] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\WINDOWS\Explorer.EXE[1600] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\spoolsv.exe[1660] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\spoolsv.exe[1660] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1660] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\spoolsv.exe[1660] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\spoolsv.exe[1660] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\spoolsv.exe[1660] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\spoolsv.exe[1660] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\spoolsv.exe[1660] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\spoolsv.exe[1660] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\ctfmon.exe[1740] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\ctfmon.exe[1740] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1740] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\ctfmon.exe[1740] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\ctfmon.exe[1740] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\ctfmon.exe[1740] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\ctfmon.exe[1740] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\ctfmon.exe[1740] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\ctfmon.exe[1740] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
.text C:\WINDOWS\System32\MsPMSPSv.exe[1832] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003F1014
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003F0804
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003F0A08
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003F0C0C
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003F0E10
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003F01F8
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003F03FC
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003F0600
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00470804
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00470A08
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00470600
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 004701F8
.text C:\Program Files\iTunes\iTunesHelper.exe[2028] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 004703FC
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003F1014
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003F0804
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003F0A08
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003F0C0C
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003F0E10
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003F01F8
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003F03FC
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003F0600
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00480804
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00480A08
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00480600
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 004801F8
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 004803FC

 

[Phasmos]

GMER RESULTS (Pt. 5):

.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003F0804
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003F0A08
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003F0600
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003F01F8
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003F03FC
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00491014
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00490804
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00490A08
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00490C0C
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00490E10
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 004901F8
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 004903FC
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00490600
.text C:\Program Files\iPod\bin\iPodService.exe[2552] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\iPod\bin\iPodService.exe[2552] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\iPod\bin\iPodService.exe[2552] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\iPod\bin\iPodService.exe[2552] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\Program Files\iPod\bin\iPodService.exe[2552] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
.text C:\Program Files\iPod\bin\iPodService.exe[2552] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
.text C:\Program Files\iPod\bin\iPodService.exe[2552] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
.text C:\Program Files\iPod\bin\iPodService.exe[2552] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
.text C:\Program Files\iPod\bin\iPodService.exe[2552] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
.text C:\WINDOWS\system32\wscntfy.exe[3004] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\wscntfy.exe[3004] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[3004] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\wscntfy.exe[3004] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[3004] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\wscntfy.exe[3004] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\wscntfy.exe[3004] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\wscntfy.exe[3004] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\wscntfy.exe[3004] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 006A1014
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 006A0804
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 006A0A08
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 006A0C0C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 006A0E10
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 006A01F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 006A03FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 006A0600
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 006B0804
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 006B0A08
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 006B0600
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 006B01F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[3408] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 006B03FC
.text C:\Documents and Settings\Ann\Desktop\ph4w7t0b.exe[3916] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Documents and Settings\Ann\Desktop\ph4w7t0b.exe[3916] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[740] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005E0002
IAT C:\WINDOWS\system32\services.exe[740] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005E0000
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [010F2F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [010F2C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [010F2CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [010F2CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1460] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
IAT C:\Program Files\AVAST Software\Avast\avastUI.exe[1528] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
IAT C:\WINDOWS\Explorer.EXE[1600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01D32F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01D32C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01D32CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[1600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01D32CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \FileSystem\Ntfs \Ntfs ScreenNT.sys (Drive monitor./Quick Heal Technologies (P) Ltd.)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \FileSystem\Fastfat \Fat ScreenNT.sys (Drive monitor./Quick Heal Technologies (P) Ltd.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\.m10@ Money.LegacyDoc10
Reg HKLM\SOFTWARE\Classes\.m11@ Money.LegacyDoc11
Reg HKLM\SOFTWARE\Classes\.m12@ Money.LegacyDoc12
Reg HKLM\SOFTWARE\Classes\.mbf@ MoneyBackup.Document
Reg HKLM\SOFTWARE\Classes\.mn1@ Money.LegacyDoc1
Reg HKLM\SOFTWARE\Classes\.mn2@ Money.LegacyDoc2
Reg HKLM\SOFTWARE\Classes\.mn3@ Money.LegacyDoc3
Reg HKLM\SOFTWARE\Classes\.mn4@ Money.LegacyDoc4
Reg HKLM\SOFTWARE\Classes\.mn5@ Money.LegacyDoc5
Reg HKLM\SOFTWARE\Classes\.mn6@ Money.LegacyDoc6
Reg HKLM\SOFTWARE\Classes\.mn7@ Money.LegacyDoc7
Reg HKLM\SOFTWARE\Classes\.mn8@ Money.LegacyDoc8
Reg HKLM\SOFTWARE\Classes\.mn9@ Money.LegacyDoc9
Reg HKLM\SOFTWARE\Classes\.mny@ Money.Document
Reg HKLM\SOFTWARE\Classes\.mny\Money.Document
Reg HKLM\SOFTWARE\Classes\.mny\Money.Document\ShellNew
Reg HKLM\SOFTWARE\Classes\.mny\Money.Document\ShellNew@
Reg HKLM\SOFTWARE\Classes\.ofx@ ofx.Document
Reg HKLM\SOFTWARE\Classes\.ofx@Content Type text/ofx
Reg HKLM\SOFTWARE\Classes\.qif@ qif.Document
Reg HKLM\SOFTWARE\Classes\.qif@Content Type text/qif
Reg HKLM\SOFTWARE\Classes\autoform.AutoFormData@ AutoFormData Object
Reg HKLM\SOFTWARE\Classes\autoform.AutoFormData\Clsid
Reg HKLM\SOFTWARE\Classes\autoform.AutoFormData\Clsid@ {C959374E-9BAA-4413-8CE9-EB5B11A7F009}
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit@ CddbCredit Class
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CLSID
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CLSID@ {bfe639ee-762e-46c4-ae7c-3c34ccc317ff}
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CurVer
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CurVer@ CDDBControlWinamp5.CddbCredit.1
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit.1@ CddbCredit Class
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit.1\CLSID
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit.1\CLSID@ {bfe639ee-762e-46c4-ae7c-3c34ccc317ff}
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbDisc.1@ CddbDisc Class
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbDisc.1\CLSID
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbDisc.1\CLSID@ {c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbFullName.1@ CddbFullName Class
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbFullName.1\CLSID
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbFullName.1\CLSID@ {f1110c60-736a-4d58-8e2a-4935dfcf9ac7}
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control@ CDDBWinamp5Control Class
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control\CLSID
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control\CLSID@ {f2e9891e-0ce2-40bc-a6df-ed87c817b83d}
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control\CurVer
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control\CurVer@ CDDBControlWinamp5.CDDBWinamp5Control.1
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1@ CDDBWinamp5Control Class
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1\CLSID
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1\CLSID@ {f2e9891e-0ce2-40bc-a6df-ed87c817b83d}
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1\Insertable
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.FullName@ CddbFullName Class
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.FullName\CLSID
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.FullName\CLSID@ {f1110c60-736a-4d58-8e2a-4935dfcf9ac7}
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.FullName\CurVer
Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.FullName\CurVer@ CDDBControlWinamp5.CddbFullName.1
Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI@ CddbWinamp5UI Class
Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI\CLSID
Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI\CLSID@ {0dabacb1-1a16-4082-a610-3d0b3a2a94fc}
Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI\CurVer
Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI\CurVer@ CDDBUIControlWinamp5.CddbWinamp5UI.1
Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI.1@ CddbWinamp5UI Class
Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI.1\CLSID
Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI.1\CLSID@ {0dabacb1-1a16-4082-a610-3d0b3a2a94fc}
Reg HKLM\SOFTWARE\Classes\ChrtCtl.ChrtCtl@ MSN Money Charting
Reg HKLM\SOFTWARE\Classes\ChrtCtl.ChrtCtl\CurVer
Reg HKLM\SOFTWARE\Classes\ChrtCtl.ChrtCtl\CurVer@ ChrtCtl.ChrtCtl.1
Reg HKLM\SOFTWARE\Classes\ChrtCtl.ChrtCtl.1@ MSN Money Charting
Reg HKLM\SOFTWARE\Classes\ChrtCtl.ChrtCtl.1\CLSID
Reg HKLM\SOFTWARE\Classes\ChrtCtl.ChrtCtl.1\CLSID@ {3DC2E31C-371A-4bd3-9A27-CDF57CE604CF}
Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\InProcServer32@ %SystemRoot%\system32\SHELL32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\InProcServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{356792C4-73BF-2C52-49B8-91546A661B05}\CLSID@ Standard Picture
Reg HKLM\SOFTWARE\Classes\CLSID\{356792C4-73BF-2C52-49B8-91546A661B05}\InprocServer32@ oleaut32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{356792C4-73BF-2C52-49B8-91546A661B05}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{356792C4-73BF-2C52-49B8-91546A661B05}\InprocServer32@InprocServer32 )N3N1HH2g(@=z?VnZA8KWP_REDISTS>M5KDYSUnf(HA*L[xeX)y?lj^'G5k-g(=,}?Vrk!(lShared>M5KDYSUnf(HA*L[xeX)y?
Reg HKLM\SOFTWARE\Classes\CLSID\{356792C4-73BF-2C52-49B8-91546A661B05}\ProgID@ StdPicture
Reg HKLM\SOFTWARE\Classes\CLSID\{5A1FAA41-5586-A147-6396-912BC0718A72}\InprocServer32@ C:\WINDOWS\system32\quartz.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{5A1FAA41-5586-A147-6396-912BC0718A72}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\InprocServer32@ C:\WINDOWS\System32\upnp.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\ProgID@ UPnP.DescriptionDocument.1
Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\TypeLib@ {DB3442A7-A2E9-4A59-9CB5-F5C1A5D901E5}
Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\VersionIndependentProgID@ UPnP.DescriptionDocument
Reg HKLM\SOFTWARE\Classes\CLSID\{DE2BDEC9-7FE4-55BB-F709-162A2FF71EEC}\InProcServer32@ %SystemRoot%\system32\SHELL32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{DE2BDEC9-7FE4-55BB-F709-162A2FF71EEC}\InProcServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\Director.Playlists@ CPlaylists Object
Reg HKLM\SOFTWARE\Classes\Director.Playlists\CLSID
Reg HKLM\SOFTWARE\Classes\Director.Playlists\CLSID@ {AE4FC5BE-6248-4EB0-9918-BCB1D2B878B3}
Reg HKLM\SOFTWARE\Classes\Director.Playlists\CurVer
Reg HKLM\SOFTWARE\Classes\Director.Playlists\CurVer@ Director.Playlists.1
Reg HKLM\SOFTWARE\Classes\Director.Playlists.1@ CPlaylists Object
Reg HKLM\SOFTWARE\Classes\Director.Playlists.1\CLSID
Reg HKLM\SOFTWARE\Classes\Director.Playlists.1\CLSID@ {AE4FC5BE-6248-4EB0-9918-BCB1D2B878B3}
Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary@ CSupportLibrary Object
Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary\CLSID
Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary\CLSID@ {AECAFA59-4D60-49B1-9037-81248A79F3A4}
Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary\CurVer
Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary\CurVer@ Director.SupportLibrary.1
Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary.1@ CSupportLibrary Object
Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary.1\CLSID
Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary.1\CLSID@ {AECAFA59-4D60-49B1-9037-81248A79F3A4}
Reg HKLM\SOFTWARE\Classes\Director.Tracks@ CTracks Object
Reg HKLM\SOFTWARE\Classes\Director.Tracks\CLSID
Reg HKLM\SOFTWARE\Classes\Director.Tracks\CLSID@ {372D1C09-EBAF-477C-82F4-426173BD61C3}
Reg HKLM\SOFTWARE\Classes\Director.Tracks\CurVer
Reg HKLM\SOFTWARE\Classes\Director.Tracks\CurVer@ Director.Tracks.1
Reg HKLM\SOFTWARE\Classes\Director.Tracks.1@ CTracks Object
Reg HKLM\SOFTWARE\Classes\Director.Tracks.1\CLSID
Reg HKLM\SOFTWARE\Classes\Director.Tracks.1\CLSID@ {372D1C09-EBAF-477C-82F4-426173BD61C3}

 

[Phasmos]

GMER RESULTS (Pt. 6):

Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory@ Macromedia Flash Factory Object
Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID
Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID@ {D27CDB70-AE6D-11cf-96B8-444553540000}
Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer
Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer@ FlashFactory.FlashFactory.1
Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory.1@ Macromedia Flash Factory Object
Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID
Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID@ {D27CDB70-AE6D-11cf-96B8-444553540000}
Reg HKLM\SOFTWARE\Classes\FndrCtl.FndrCtl@ MSN Money Screener
Reg HKLM\SOFTWARE\Classes\FndrCtl.FndrCtl\CurVer
Reg HKLM\SOFTWARE\Classes\FndrCtl.FndrCtl\CurVer@ FndrCtl.FndrCtl.1
Reg HKLM\SOFTWARE\Classes\FndrCtl.FndrCtl.1@ MSN Money Screener
Reg HKLM\SOFTWARE\Classes\FndrCtl.FndrCtl.1\CLSID
Reg HKLM\SOFTWARE\Classes\FndrCtl.FndrCtl.1\CLSID@ {7F4824E8-21D1-4a62-BD34-AB670833DFB6}
Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper@ Macromedia Flash Paper
Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID
Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon
Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon@ C:\PROGRA~1\MOZILL~1\FIREFOX.EXE,1
Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell
Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open
Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command
Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command@ C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner@ WiFiScanner Class
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner\CLSID
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner\CLSID@ {86D0C901-A1EC-48F7-BADC-09FEA70E91E2}
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner\CurVer
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner\CurVer@ Microsoft.MapPoint.WiFiScanner.1
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner.1@ WiFiScanner Class
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner.1\CLSID
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner.1\CLSID@ {86D0C901-A1EC-48F7-BADC-09FEA70E91E2}
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult@ WiFiScanResult Class
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult\CLSID
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult\CLSID@ {3AE61C81-BE5B-4297-BA1C-2B2A629A2256}
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult\CurVer
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult\CurVer@ Microsoft.MapPoint.WiFiScanResult.1
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult.1@ WiFiScanResult Class
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult.1\CLSID
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult.1\CLSID@ {3AE61C81-BE5B-4297-BA1C-2B2A629A2256}
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10@ WiFiScanResults Class
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10\CLSID
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10\CLSID@ {46157CA5-442D-4CFF-84C0-6A4DF834E6F3}
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10\CurVer
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10\CurVer@ Microsoft.MapPoint.WiFiScanResults10.1
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10.1@ WiFiScanResults Class
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10.1\CLSID
Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10.1\CLSID@ {46157CA5-442D-4CFF-84C0-6A4DF834E6F3}
Reg HKLM\SOFTWARE\Classes\money@ URL:Money Protocol
Reg HKLM\SOFTWARE\Classes\money@EditFlags 2
Reg HKLM\SOFTWARE\Classes\money@URL Protocol
Reg HKLM\SOFTWARE\Classes\money\Shell
Reg HKLM\SOFTWARE\Classes\money\Shell\Open
Reg HKLM\SOFTWARE\Classes\money\Shell\Open\Command
Reg HKLM\SOFTWARE\Classes\money\Shell\Open\Command@ c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.exe -url:%1
Reg HKLM\SOFTWARE\Classes\Money.Document@ Microsoft Money file
Reg HKLM\SOFTWARE\Classes\Money.Document\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Money.Document\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\Money.Document\Shell
Reg HKLM\SOFTWARE\Classes\Money.Document\Shell@ Open
Reg HKLM\SOFTWARE\Classes\Money.Document\Shell\Open
Reg HKLM\SOFTWARE\Classes\Money.Document\Shell\Open\Command
Reg HKLM\SOFTWARE\Classes\Money.Document\Shell\Open\Command@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc1@ Microsoft Money v1 backup.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc1@NoOpen This is a Money v1 file. Use the file command in Money v1 to open it.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc1\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc1\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc10@ Microsoft Money 2002 backup.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc10@NoOpen This is a Money 2002 file. Use the file command in Money 2002 to open it.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc10\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc10\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc11@ Microsoft Money 2003 backup.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc11@NoOpen This is a Money 2003 file. Use the file command in Money 2003 to open it.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc11\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc11\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc12@ Microsoft Money 2004 backup.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc12@NoOpen This is a Money 2004 file. Use the file command in Money 2004 to open it.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc12\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc12\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc14@ Microsoft Money 2005 backup.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc14@NoOpen This is a Money 2005 file. Use the file command in Money 2005 to open it.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc14\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc14\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc2@ Microsoft Money v2 backup.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc2@NoOpen This is a Money v2 file. Use the file command in Money v2 to open it.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc2\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc2\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc3@ Microsoft Money v3 backup.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc3@NoOpen This is a Money v3 file. Use the file command in Money v3 to open it.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc3\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc3\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc4@ Microsoft Money '95 backup.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc4@NoOpen This is a Money '95 file. Use the file command in Money '95 to open it.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc4\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc4\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc5@ Microsoft Money '97 backup.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc5@NoOpen This is a Money '97 file. Use the file command in Money '97 to open it.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc5\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc5\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc6@ Microsoft Money '98 backup.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc6@NoOpen This is a Money '98 file. Use the file command in Money '98 to open it.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc6\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc6\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc7@ Microsoft Money '99 backup.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc7@NoOpen This is a Money '99 file. Use the file command in Money '99 to open it.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc7\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc7\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc8@ Microsoft Money 2000 backup.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc8@NoOpen This is a Money 2000 file. Use the file command in Money 2000 to open it.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc8\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc8\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc9@ Microsoft Money 2001 backup.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc9@NoOpen This is a Money 2001 file. Use the file command in Money 2001 to open it.
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc9\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc9\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document@ Microsoft Money backup File
Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document\DefaultIcon
Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document\Shell
Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document\Shell@ Open
Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document\Shell\Open
Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document\Shell\Open\Command
Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document\Shell\Open\Command@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE" "%1"
Reg HKLM\SOFTWARE\Classes\ofx.Document@

 

[Phasmos]

GMER RESULTS (Pt. 7):

Open Financial Exchange File
Reg HKLM\SOFTWARE\Classes\ofx.Document@EditFlags 65792
Reg HKLM\SOFTWARE\Classes\ofx.Document\DefaultIcon
Reg HKLM\SOFTWARE\Classes\ofx.Document\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\ofx.Document\Shell
Reg HKLM\SOFTWARE\Classes\ofx.Document\Shell\Open
Reg HKLM\SOFTWARE\Classes\ofx.Document\Shell\Open\Command
Reg HKLM\SOFTWARE\Classes\ofx.Document\Shell\Open\Command@ "c:\program files\microsoft money 2006\MNYCoreFiles\mnyimprt.exe" %1
Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList@ AxTaskList Class
Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList\CLSID
Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList\CLSID@ {656FAD09-4DE3-4c34-9600-0928C855FD7A}
Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList\CurVer
Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList\CurVer@ PortMgr.AxTaskList.1
Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList.1@ AxTaskList Class
Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList.1\CLSID
Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList.1\CLSID@ {656FAD09-4DE3-4c34-9600-0928C855FD7A}
Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager@ PortfolioManager Class
Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager\CLSID
Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager\CLSID@ {C287744F-F58B-4923-97F4-8E365EB60075}
Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager\CurVer
Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager\CurVer@ PortMgr.PortfolioManager.1
Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager.1@ PortfolioManager Class
Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager.1\CLSID
Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager.1\CLSID@ {C287744F-F58B-4923-97F4-8E365EB60075}
Reg HKLM\SOFTWARE\Classes\qif.Document@ Quicken Import File
Reg HKLM\SOFTWARE\Classes\qif.Document@EditFlags 256
Reg HKLM\SOFTWARE\Classes\qif.Document\DefaultIcon
Reg HKLM\SOFTWARE\Classes\qif.Document\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
Reg HKLM\SOFTWARE\Classes\qif.Document\Shell
Reg HKLM\SOFTWARE\Classes\qif.Document\Shell\Open
Reg HKLM\SOFTWARE\Classes\qif.Document\Shell\Open\Command
Reg HKLM\SOFTWARE\Classes\qif.Document\Shell\Open\Command@ "c:\program files\microsoft money 2006\MNYCoreFiles\mnyimprt.exe" %1
Reg HKLM\SOFTWARE\Classes\QlistCtl.QlistCtl@ MSN Money QuickList
Reg HKLM\SOFTWARE\Classes\QlistCtl.QlistCtl\CurVer
Reg HKLM\SOFTWARE\Classes\QlistCtl.QlistCtl\CurVer@ QlistCtl.QlistCtl.1
Reg HKLM\SOFTWARE\Classes\QlistCtl.QlistCtl.1@ MSN Money QuickList
Reg HKLM\SOFTWARE\Classes\QlistCtl.QlistCtl.1\CLSID
Reg HKLM\SOFTWARE\Classes\QlistCtl.QlistCtl.1\CLSID@ {89A9F739-8F34-40e1-BCD3-62BABEAD3C6F}
Reg HKLM\SOFTWARE\Classes\refdb.helper@ Chelper Object
Reg HKLM\SOFTWARE\Classes\refdb.helper\CLSID
Reg HKLM\SOFTWARE\Classes\refdb.helper\CLSID@ {7CD1F456-8BDA-45ED-BC11-4B7340E05315}
Reg HKLM\SOFTWARE\Classes\refdb.helper\CurVer
Reg HKLM\SOFTWARE\Classes\refdb.helper\CurVer@ refdb.helper.1
Reg HKLM\SOFTWARE\Classes\refdb.helper.1@ Chelper Object
Reg HKLM\SOFTWARE\Classes\refdb.helper.1\CLSID
Reg HKLM\SOFTWARE\Classes\refdb.helper.1\CLSID@ {7CD1F456-8BDA-45ED-BC11-4B7340E05315}
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash@ Shockwave Flash Object
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer@ ShockwaveFlash.ShockwaveFlash.9
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1@ Shockwave Flash Object
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3@ Shockwave Flash Object
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4@ Shockwave Flash Object
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5@ Shockwave Flash Object
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6@ Shockwave Flash Object
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7@ Shockwave Flash Object
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8@ Shockwave Flash Object
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID
Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
Reg HKLM\SOFTWARE\Classes\Surfboard.SurfShim15.View@ Surfboard Shim Doc Object View
Reg HKLM\SOFTWARE\Classes\Surfboard.SurfShim15.View\BrowseInPlace
Reg HKLM\SOFTWARE\Classes\Surfboard.SurfShim15.View\BrowseInPlace@
Reg HKLM\SOFTWARE\Classes\Surfboard.SurfShim15.View\CLSID
Reg HKLM\SOFTWARE\Classes\Surfboard.SurfShim15.View\CLSID@ {1ff1dc5d-d5c9-479b-be9b-5ef8fee7fb0c}
Reg HKLM\SOFTWARE\Classes\Surfboard.SurfShim15.View\DocObject
Reg HKLM\SOFTWARE\Classes\Surfboard.SurfShim15.View\DocObject@
Reg HKLM\SOFTWARE\Classes\wareo\shell
Reg HKLM\SOFTWARE\Classes\wareo\shell\open
Reg HKLM\SOFTWARE\Classes\warep\shell
Reg HKLM\SOFTWARE\Classes\warep\shell\open
Reg HKLM\SOFTWARE\Classes\warez@ URL:Warez protocol
Reg HKLM\SOFTWARE\Classes\warez@URL Protocol
Reg HKLM\SOFTWARE\Classes\warez\shell
Reg HKLM\SOFTWARE\Classes\warez\shell\open
Reg HKLM\SOFTWARE\Classes\warez.DocHostUIHandler@ Implements DocHostUIHandler
Reg HKLM\SOFTWARE\Classes\warez.DocHostUIHandler\Clsid
Reg HKLM\SOFTWARE\Classes\warez.DocHostUIHandler\Clsid@ {3F2BBC05-40DF-11D2-9455-00104BC936FF}
Reg HKLM\SOFTWARE\Classes\warezo@ URL:Warez Of1
Reg HKLM\SOFTWARE\Classes\warezo@URL Protocol
Reg HKLM\SOFTWARE\Classes\warezo\shell
Reg HKLM\SOFTWARE\Classes\warezo\shell\open
Reg HKLM\SOFTWARE\Classes\warezp@ URL:Warez Of2
Reg HKLM\SOFTWARE\Classes\warezp@URL Protocol
Reg HKLM\SOFTWARE\Classes\warezp\shell
Reg HKLM\SOFTWARE\Classes\warezp\shell\open
Reg HKLM\SOFTWARE\Classes\warezq@ URL:Warez_Query protocol
Reg HKLM\SOFTWARE\Classes\warezq@URL Protocol
Reg HKLM\SOFTWARE\Classes\warezq\shell
Reg HKLM\SOFTWARE\Classes\warezq\shell\open
Reg HKLM\SOFTWARE\Classes\Winamp\shell
Reg HKLM\SOFTWARE\Classes\Winamp\shell\WinampMTPHandler
Reg HKLM\SOFTWARE\Classes\Winamp\shell\WinampMTPHandler@command C:\Program Files\Winamp\winamp.exe
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document@ WordPerfect Document
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\CLSID
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\CLSID@ {A25250CA-50C1-11D3-8EA3-0090271BECDD}
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\CurVer
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\CurVer@ WP10Doc
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\DefaultIcon
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\DefaultIcon@ C:\Program Files\Corel\WordPerfect Office 2002\Programs\pficon100.dll,-5121
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell@ open
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\open
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\open@ &Open
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\open\command
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\open\command@ "C:\Program Files\Corel\WordPerfect Office 2002\Programs\wpwin10.exe" "%1"
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print@ &Print
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\command
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\command@ "C:\Program Files\Corel\WordPerfect Office 2002\Programs\wpwin10.exe" /ddeex /smin :
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\ddeexec
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\ddeexec@ FileOpen("%1") PrintFullDoc() CloseNoSave(1)
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\ddeexec\application
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\ddeexec\application@ WPWin10_Macros
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\ddeexec\topic
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\ddeexec\topic@ Commands
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\command
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\command@ "C:\Program Files\Corel\WordPerfect Office 2002\Programs\wpwin10.exe" /ddeex /smin :
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\ddeexec
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\ddeexec@ PrintTo("%1";"%2";"%3";"%4")
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\ddeexec\application
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\ddeexec\application@ WPWin10_Macros
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\ddeexec\topic
Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\ddeexec\topic@ Commands
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@naefhjfecjgklgmlbhknefccfpnp 0x69 0x61 0x6E 0x63 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@oagipbnkbecbjjigpkkfoobcddbebp 0x6A 0x61 0x6E 0x63 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@gboldljabahbhalinijnhgpnbkeibloinjbjcbinihkinh 0x6B 0x61 0x63 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@bbmleofpghcbcapeejehbfheehpkfnkgneaj 0x6A 0x63 0x61 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@oagipbnkbecbjjigpkkfnoecgmmlmf 0x6B 0x61 0x6B 0x63 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@naefhjfecjgklgmlbhlnpehokide 0x6A 0x61 0x6B 0x63 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@oaclclemhekndgiilhohbjppdknolm 0x6C 0x61 0x63 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@oadlgliikfiaeogpflmecopdhmahmp 0x66 0x62 0x61 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@pahlmkjkeljkjgfdkiojhgadjjeglmfl 0x64 0x62 0x6C 0x63 ...

---- EOF - GMER 1.0.15 ----


I could not get DDS to run at all. The command line window opens for 1 second and then simply disappears.

 

[Broni]

First of all you should never run Combofix on your own.
Then, playing with registry is a very bad idea as well. You can make things even worse.

Download Bootkit Remover to your desktop.

• Unzip downloaded file to your Desktop.
• Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

===================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

 

[Phasmos]

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

 

[Phasmos]

Tried to run the ASWmbr scan, but the comp. shut down halfway through, with a message that read:

"A problem has been detected and Windows has been shut down to prevent damage to your computer."

It goes on to mention some "Technical Information," which read as follows:

-------------------------------------------------------------------------------------------------------------------
*** STOP: 0x0000008E (0xC0000005, 0xF76BE827, 0xF75C55F0, 0x00000000)
*** aswSnx.SYS - Address F76BE827 base at F7682000, DateStamp 4f56a5e5
Beginning dump of physical memory
Physical memory dump complete.
-------------------------------------------------------------------------------------------------------------------

Should I try to run ASWmbr again?

 

[Broni]

Please download and run ListParts by Farbar (for 32-bit system) to your desktop.

Please download and run ListParts64 by Farbar (for 64-bit system) to your desktop.

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.

 

[Phasmos]

Here is the result:

ListParts by Farbar Version: 12-03-2012 03
Ran by Ann (administrator) on 22-05-2012 at 13:11:35
Windows XP (X86)
Running From: C:\Documents and Settings\Ann\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 84%
Total physical RAM: 255 MB
Available physical RAM: 39.74 MB
Total Pagefile: 617.32 MB
Available Pagefile: 311.47 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.9 MB

======================= Partitions =========================

2 Drive c: () (Fixed) (Total:74.5 GB) (Free:14 GB) NTFS ==>[Drive with boot components (Windows XP)]
4 Drive f: (Chris's Big) (Removable) (Total:1.87 GB) (Free:0.55 GB) FAT

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 74 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 74 GB 32 KB
======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 74 GB Healthy System (partition with boot components)
======================================================================================================

****** End Of Log ******

 

[Phasmos]

BTW, whatever we're doing must be having some effect -- the computer is running faster already!

 

[Broni]

Hmm...we didn't really fix anything yet

Download TDSSKiller and save it to your desktop.

• Extract (unzip) its contents to your desktop.
• Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

 

[Phasmos]

Well, maybe we've caught the bugger napping... ;D

Ok, running TDSSkiller... stand by for results...

 

[Phasmos]

13:21:34.0609 2076 TDSS rootkit removing tool 2.7.36.0 May 21 2012 16:40:16
13:21:36.0093 2076 ============================================================
13:21:36.0093 2076 Current date / time: 2012/05/22 13:21:36.0093
13:21:36.0093 2076 SystemInfo:
13:21:36.0093 2076
13:21:36.0093 2076 OS Version: 5.1.2600 ServicePack: 3.0
13:21:36.0093 2076 Product type: Workstation
13:21:36.0093 2076 ComputerName: HOME1
13:21:36.0187 2076 UserName: Ann
13:21:36.0187 2076 Windows directory: C:\WINDOWS
13:21:36.0187 2076 System windows directory: C:\WINDOWS
13:21:36.0187 2076 Processor architecture: Intel x86
13:21:36.0187 2076 Number of processors: 1
13:21:36.0187 2076 Page size: 0x1000
13:21:36.0187 2076 Boot type: Normal boot
13:21:36.0187 2076 ============================================================
13:21:49.0937 2076 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
13:21:50.0687 2076 Drive \Device\Harddisk1\DR2 - Size: 0x77700000 (1.87 Gb), SectorSize: 0x200, Cylinders: 0xF3, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
13:21:50.0687 2076 ============================================================
13:21:50.0687 2076 \Device\Harddisk0\DR0:
13:21:50.0703 2076 MBR partitions:
13:21:50.0703 2076 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x94FE97E
13:21:50.0703 2076 \Device\Harddisk1\DR2:
13:21:50.0718 2076 MBR partitions:
13:21:50.0718 2076 \Device\Harddisk1\DR2\Partition0: MBR, Type 0x6, StartLBA 0x80, BlocksNum 0x3BB780
13:21:50.0718 2076 ============================================================
13:21:50.0953 2076 C: <-> \Device\Harddisk0\DR0\Partition0
13:21:50.0953 2076 ============================================================
13:21:50.0953 2076 Initialize success
13:21:50.0953 2076 ============================================================
13:22:04.0921 2216 ============================================================
13:22:04.0921 2216 Scan started
13:22:04.0921 2216 Mode: Manual;
13:22:04.0921 2216 ============================================================
13:22:05.0640 2216 Aavmker4 (473f97edc5a5312f3665ab2921196c0c) C:\WINDOWS\system32\drivers\Aavmker4.sys
13:22:05.0640 2216 Aavmker4 - ok
13:22:05.0656 2216 Abiosdsk - ok
13:22:05.0687 2216 abp480n5 - ok
13:22:05.0812 2216 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:22:06.0015 2216 ACPI - ok
13:22:06.0093 2216 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:22:06.0093 2216 ACPIEC - ok
13:22:06.0109 2216 adpu160m - ok
13:22:06.0203 2216 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
13:22:06.0250 2216 aec - ok
13:22:06.0359 2216 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
13:22:06.0406 2216 AFD - ok
13:22:06.0468 2216 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
13:22:06.0500 2216 agp440 - ok
13:22:06.0500 2216 Aha154x - ok
13:22:06.0531 2216 aic78u2 - ok
13:22:06.0546 2216 aic78xx - ok
13:22:06.0609 2216 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
13:22:06.0687 2216 Alerter - ok
13:22:06.0750 2216 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
13:22:06.0765 2216 ALG - ok
13:22:06.0781 2216 AliIde - ok
13:22:06.0796 2216 amsint - ok
13:22:06.0984 2216 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
13:22:07.0046 2216 Apple Mobile Device - ok
13:22:07.0062 2216 AppMgmt - ok
13:22:07.0093 2216 asc - ok
13:22:07.0109 2216 asc3350p - ok
13:22:07.0125 2216 asc3550 - ok
13:22:07.0203 2216 ASPI32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\ASPI32.sys
13:22:07.0218 2216 ASPI32 - ok
13:22:07.0390 2216 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
13:22:07.0578 2216 aspnet_state - ok
13:22:07.0640 2216 aswFsBlk (0ae43c6c411254049279c2ee55630f95) C:\WINDOWS\system32\drivers\aswFsBlk.sys
13:22:07.0656 2216 aswFsBlk - ok
13:22:07.0734 2216 aswMon2 (8c30b7ddd2f1d8d138ebe40345af2b11) C:\WINDOWS\system32\drivers\aswMon2.sys
13:22:07.0781 2216 aswMon2 - ok
13:22:07.0812 2216 AswRdr (da12626fd9a67f4e917e2f2fbe1e1764) C:\WINDOWS\system32\drivers\AswRdr.sys
13:22:07.0828 2216 AswRdr - ok
13:22:08.0078 2216 aswSnx (dcb199b967375753b5019ec15f008f53) C:\WINDOWS\system32\drivers\aswSnx.sys
13:22:08.0375 2216 aswSnx - ok
13:22:08.0765 2216 aswSP (b32873e5a1443c0a1e322266e203bf10) C:\WINDOWS\system32\drivers\aswSP.sys
13:22:08.0906 2216 aswSP - ok
13:22:08.0953 2216 aswTdi (6ff544175a9180c5d88534d3d9c9a9f7) C:\WINDOWS\system32\drivers\aswTdi.sys
13:22:08.0968 2216 aswTdi - ok
13:22:09.0031 2216 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:22:09.0031 2216 AsyncMac - ok
13:22:09.0156 2216 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:22:09.0187 2216 atapi - ok
13:22:09.0203 2216 Atdisk - ok
13:22:09.0265 2216 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:22:09.0312 2216 Atmarpc - ok
13:22:09.0390 2216 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
13:22:09.0437 2216 AudioSrv - ok
13:22:09.0500 2216 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:22:09.0500 2216 audstub - ok
13:22:09.0656 2216 avast! Antivirus (4041d31508a2a084dfb42c595854090f) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
13:22:09.0703 2216 avast! Antivirus - ok
13:22:09.0750 2216 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:22:09.0750 2216 Beep - ok
13:22:09.0937 2216 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
13:22:10.0609 2216 BITS - ok
13:22:10.0812 2216 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
13:22:10.0937 2216 Bonjour Service - ok
13:22:11.0031 2216 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
13:22:11.0062 2216 Browser - ok
13:22:11.0078 2216 BW2NDIS5 - ok
13:22:11.0125 2216 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:22:11.0156 2216 cbidf2k - ok
13:22:11.0218 2216 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
13:22:11.0218 2216 CCDECODE - ok
13:22:11.0234 2216 cd20xrnt - ok
13:22:11.0296 2216 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:22:11.0296 2216 Cdaudio - ok
13:22:11.0375 2216 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
13:22:11.0390 2216 Cdfs - ok
13:22:11.0453 2216 Cdr4_xp (bf79e659c506674c0497cc9c61f1a165) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
13:22:11.0468 2216 Cdr4_xp - ok
13:22:11.0484 2216 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys
13:22:11.0500 2216 Cdralw2k - ok
13:22:11.0546 2216 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:22:11.0562 2216 Cdrom - ok
13:22:11.0703 2216 cdudf_xp (cfd81f2140193fc7f1812e6d6eaf6795) C:\WINDOWS\system32\drivers\cdudf_xp.sys
13:22:11.0812 2216 cdudf_xp - ok
13:22:11.0828 2216 Changer - ok
13:22:11.0875 2216 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
13:22:11.0890 2216 CiSvc - ok
13:22:11.0937 2216 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
13:22:11.0953 2216 ClipSrv - ok
13:22:12.0171 2216 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
13:22:12.0468 2216 clr_optimization_v2.0.50727_32 - ok
13:22:12.0640 2216 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
13:22:12.0843 2216 clr_optimization_v4.0.30319_32 - ok
13:22:12.0859 2216 CmdIde - ok
13:22:12.0875 2216 COMSysApp - ok
13:22:12.0906 2216 Cpqarray - ok
13:22:12.0968 2216 Creative Service for CDROM Access (3c8b6609712f4ff78e521f6dcfc4032b) C:\WINDOWS\System32\CTsvcCDA.exe
13:22:12.0984 2216 Creative Service for CDROM Access - ok
13:22:13.0109 2216 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
13:22:13.0125 2216 CryptSvc - ok
13:22:13.0156 2216 dac2w2k - ok
13:22:13.0171 2216 dac960nt - ok
13:22:13.0375 2216 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
13:22:13.0562 2216 DcomLaunch - ok
13:22:13.0578 2216 DgiVecp - ok
13:22:13.0671 2216 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
13:22:13.0718 2216 Dhcp - ok
13:22:13.0781 2216 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
13:22:13.0812 2216 Disk - ok
13:22:13.0828 2216 dmadmin - ok
13:22:14.0171 2216 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
13:22:14.0515 2216 dmboot - ok
13:22:14.0593 2216 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
13:22:14.0640 2216 dmio - ok
13:22:14.0687 2216 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:22:14.0687 2216 dmload - ok
13:22:14.0781 2216 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
13:22:14.0796 2216 dmserver - ok
13:22:14.0875 2216 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
13:22:14.0890 2216 DMusic - ok
13:22:14.0953 2216 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
13:22:14.0984 2216 Dnscache - ok
13:22:15.0078 2216 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
13:22:15.0125 2216 Dot3svc - ok
13:22:15.0156 2216 dpti2o - ok
13:22:15.0187 2216 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
13:22:15.0187 2216 drmkaud - ok
13:22:15.0250 2216 dvd43llh (1fc1eed3ea0c3a0ecf8a95b97e1b4831) C:\WINDOWS\system32\DRIVERS\dvd43llh.sys
13:22:15.0265 2216 dvd43llh - ok
13:22:15.0328 2216 dvd_2K (677829f7010768eeeed8d0083e510dab) C:\WINDOWS\system32\drivers\dvd_2K.sys
13:22:15.0359 2216 dvd_2K - ok
13:22:15.0453 2216 E100B (98ed0bea10477b0f252cca35eb50f838) C:\WINDOWS\system32\DRIVERS\e100b325.sys
13:22:15.0531 2216 E100B - ok
13:22:15.0578 2216 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
13:22:15.0593 2216 EapHost - ok
13:22:15.0656 2216 EMLSS (de58b034f27f45a615c0c28e8c66be3c) C:\WINDOWS\system32\drivers\emltdi.sys
13:22:15.0718 2216 EMLSS - ok
13:22:15.0765 2216 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
13:22:15.0796 2216 ERSvc - ok
13:22:15.0890 2216 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
13:22:16.0000 2216 Eventlog - ok
13:22:16.0156 2216 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\System32\es.dll
13:22:16.0250 2216 EventSystem - ok
13:22:16.0359 2216 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
13:22:16.0421 2216 Fastfat - ok
13:22:16.0500 2216 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
13:22:16.0578 2216 FastUserSwitchingCompatibility - ok
13:22:16.0640 2216 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
13:22:16.0656 2216 Fdc - ok
13:22:16.0703 2216 FilterService (a75ddc492d2d1d6558ad8003a4adb73a) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
13:22:16.0750 2216 FilterService - ok
13:22:16.0796 2216 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
13:22:16.0812 2216 Fips - ok
13:22:16.0828 2216 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:22:16.0843 2216 Flpydisk - ok
13:22:16.0953 2216 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
13:22:17.0015 2216 FltMgr - ok
13:22:17.0187 2216 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
13:22:17.0218 2216 FontCache3.0.0.0 - ok
13:22:17.0281 2216 FsUsbExDisk (cbe5f69a5e5b918225f420ba748f3742) C:\WINDOWS\system32\FsUsbExDisk.SYS
13:22:17.0296 2216 FsUsbExDisk - ok
13:22:17.0343 2216 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:22:17.0343 2216 Fs_Rec - ok
13:22:17.0421 2216 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:22:17.0468 2216 Ftdisk - ok
13:22:17.0484 2216 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
13:22:17.0515 2216 gameenum - ok
13:22:17.0562 2216 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
13:22:17.0562 2216 GEARAspiWDM - ok
13:22:17.0625 2216 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:22:17.0656 2216 Gpc - ok
13:22:17.0718 2216 gupdate - ok
13:22:17.0750 2216 gupdatem - ok
13:22:17.0765 2216 gusvc - ok
13:22:17.0875 2216 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
13:22:17.0984 2216 helpsvc - ok
13:22:18.0031 2216 HidServ - ok
13:22:18.0078 2216 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:22:18.0093 2216 HidUsb - ok
13:22:18.0156 2216 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
13:22:18.0187 2216 hkmsvc - ok
13:22:18.0203 2216 hpn - ok
13:22:18.0265 2216 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
13:22:18.0296 2216 HPZid412 - ok
13:22:18.0312 2216 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
13:22:18.0328 2216 HPZipr12 - ok
13:22:18.0390 2216 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
13:22:18.0406 2216 HPZius12 - ok
13:22:18.0515 2216 HSFHWBS2 (96fae6dc24574b1cb08dcf9d984a5be4) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
13:22:18.0593 2216 HSFHWBS2 - ok
13:22:19.0046 2216 HSF_DP (2efa8dd8b0270a3a7202ce5f4da465b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
13:22:19.0484 2216 HSF_DP - ok
13:22:19.0625 2216 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
13:22:19.0734 2216 HTTP - ok
13:22:19.0781 2216 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
13:22:19.0843 2216 HTTPFilter - ok
13:22:19.0859 2216 i2omgmt - ok
13:22:19.0875 2216 i2omp - ok
13:22:19.0953 2216 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:22:19.0968 2216 i8042prt - ok
13:22:20.0140 2216 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
13:22:20.0234 2216 IDriverT - ok
13:22:20.0687 2216 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
13:22:21.0000 2216 idsvc - ok
13:22:21.0046 2216 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:22:21.0062 2216 Imapi - ok
13:22:21.0187 2216 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
13:22:21.0250 2216 ImapiService - ok
13:22:21.0281 2216 ini910u - ok
13:22:21.0343 2216 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
13:22:21.0359 2216 IntelIde - ok
13:22:21.0421 2216 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:22:21.0453 2216 intelppm - ok
13:22:21.0484 2216 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
13:22:21.0500 2216 ip6fw - ok
13:22:21.0562 2216 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:22:21.0578 2216 IpFilterDriver - ok
13:22:21.0609 2216 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:22:21.0609 2216 IpInIp - ok
13:22:21.0703 2216 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:22:21.0765 2216 IpNat - ok
13:22:22.0171 2216 iPod Service (57edb35ea2feca88f8b17c0c095c9a56) C:\Program Files\iPod\bin\iPodService.exe
13:22:22.0484 2216 iPod Service - ok
13:22:22.0546 2216 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:22:22.0578 2216 IPSec - ok
13:22:22.0625 2216 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:22:22.0625 2216 IRENUM - ok
13:22:22.0687 2216 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:22:22.0703 2216 isapnp - ok
13:22:22.0953 2216 JavaQuickStarterService (381b25dc8e958d905b33130d500bbf29) C:\Program Files\Java\jre6\bin\jqs.exe
13:22:23.0000 2216 JavaQuickStarterService - ok
13:22:23.0078 2216 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:22:23.0093 2216 Kbdclass - ok
13:22:23.0203 2216 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
13:22:23.0265 2216 kmixer - ok
13:22:23.0359 2216 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
13:22:23.0390 2216 KSecDD - ok
13:22:23.0484 2216 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
13:22:23.0531 2216 lanmanserver - ok
13:22:23.0640 2216 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
13:22:23.0718 2216 lanmanworkstation - ok
13:22:23.0734 2216 lbrtfdc - ok
13:22:23.0796 2216 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
13:22:23.0812 2216 LmHosts - ok
13:22:23.0906 2216 lvpopflt (01f0e010acb61472163e9d02d3ff531a) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
13:22:23.0953 2216 lvpopflt - ok
13:22:24.0015 2216 LVPr2Mon (c57c48fb9ae3efb9848af594e3123a63) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
13:22:24.0046 2216 LVPr2Mon - ok
13:22:24.0187 2216 LVPrcSrv (5c7b88695ce461d8bda4fe0c0e57e71d) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
13:22:24.0250 2216 LVPrcSrv - ok
13:22:24.0390 2216 LVRS (87ecce893d8aec5a9337b917742d339c) C:\WINDOWS\system32\DRIVERS\lvrs.sys
13:22:24.0484 2216 LVRS - ok
13:22:27.0046 2216 LVUVC (291f69b3dda0f033d2490c5ba5179f7c) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
13:22:29.0375 2216 LVUVC - ok
13:22:29.0781 2216 mdmxsdk (aeb54ef22cb7c7e3f405f69f048d696c) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
13:22:29.0781 2216 mdmxsdk - ok
13:22:29.0843 2216 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
13:22:29.0859 2216 Messenger - ok
13:22:29.0906 2216 mmc_2K (9b90303a9c9405a6ce1466ff4aa20fdd) C:\WINDOWS\system32\drivers\mmc_2K.sys
13:22:29.0937 2216 mmc_2K - ok
13:22:29.0984 2216 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:22:29.0984 2216 mnmdd - ok
13:22:30.0265 2216 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\System32\mnmsrvc.exe
13:22:30.0281 2216 mnmsrvc - ok
13:22:30.0328 2216 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
13:22:30.0343 2216 Modem - ok
13:22:30.0390 2216 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:22:30.0406 2216 Mouclass - ok
13:22:30.0484 2216 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:22:30.0484 2216 mouhid - ok
13:22:30.0531 2216 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
13:22:30.0546 2216 MountMgr - ok
13:22:30.0578 2216 mraid35x - ok
13:22:30.0593 2216 MREMP50 - ok
13:22:30.0609 2216 MREMPR5 - ok
13:22:30.0625 2216 MRENDIS5 - ok
13:22:30.0640 2216 MRESP50 - ok
13:22:30.0765 2216 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:22:30.0843 2216 MRxDAV - ok
13:22:31.0062 2216 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:22:31.0234 2216 MRxSmb - ok
13:22:31.0281 2216 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\System32\msdtc.exe
13:22:31.0296 2216 MSDTC - ok
13:22:31.0343 2216 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
13:22:31.0343 2216 Msfs - ok
13:22:31.0359 2216 MSIServer - ok
13:22:31.0421 2216 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:22:31.0421 2216 MSKSSRV - ok
13:22:31.0437 2216 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:22:31.0453 2216 MSPCLOCK - ok
13:22:31.0484 2216 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
13:22:31.0484 2216 MSPQM - ok
13:22:31.0546 2216 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:22:31.0562 2216 mssmbios - ok
13:22:31.0609 2216 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
13:22:31.0609 2216 MSTEE - ok
13:22:31.0718 2216 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
13:22:31.0765 2216 Mup - ok
13:22:31.0828 2216 mv2 (f9a20fba803ac99579cb6dc14b8e5ca4) C:\WINDOWS\system32\DRIVERS\mv2.sys
13:22:31.0828 2216 mv2 - ok
13:22:31.0906 2216 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
13:22:31.0937 2216 NABTSFEC - ok
13:22:32.0093 2216 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
13:22:32.0203 2216 napagent - ok
13:22:32.0328 2216 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
13:22:32.0406 2216 NDIS - ok
13:22:32.0468 2216 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
13:22:32.0468 2216 NdisIP - ok
13:22:32.0531 2216 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:22:32.0531 2216 NdisTapi - ok
13:22:32.0562 2216 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:22:32.0578 2216 Ndisuio - ok
13:22:32.0625 2216 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:22:32.0671 2216 NdisWan - ok
13:22:32.0734 2216 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
13:22:32.0750 2216 NDProxy - ok
13:22:32.0812 2216 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:22:32.0828 2216 NetBIOS - ok
13:22:32.0906 2216 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:22:32.0968 2216 NetBT - ok
13:22:33.0062 2216 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
13:22:33.0125 2216 NetDDE - ok
13:22:33.0140 2216 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
13:22:33.0140 2216 NetDDEdsdm - ok
13:22:33.0187 2216 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
13:22:33.0203 2216 Netlogon - ok
13:22:33.0296 2216 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
13:22:33.0375 2216 Netman - ok
13:22:33.0578 2216 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
13:22:33.0687 2216 NetTcpPortSharing - ok
13:22:33.0828 2216 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
13:22:33.0921 2216 Nla - ok
13:22:34.0000 2216 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
13:22:34.0015 2216 Npfs - ok
13:22:34.0265 2216 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
13:22:34.0484 2216 Ntfs - ok
13:22:34.0546 2216 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
13:22:34.0546 2216 NtLmSsp - ok
13:22:34.0750 2216 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
13:22:34.0921 2216 NtmsSvc - ok
13:22:34.0953 2216 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:22:34.0968 2216 Null - ok
13:22:35.0640 2216 nv (71dbdc08df86b80511e72953fa1ad6b0) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
13:22:36.0203 2216 nv - ok
13:22:36.0562 2216 NVSvc (5ed834603c36414b579979b3a9c90f54) C:\WINDOWS\system32\nvsvc32.exe
13:22:36.0609 2216 NVSvc - ok
13:22:36.0687 2216 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:22:36.0703 2216 NwlnkFlt - ok
13:22:36.0750 2216 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:22:36.0781 2216 NwlnkFwd - ok
13:22:36.0859 2216 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
13:22:36.0875 2216 OMCI - ok
13:22:36.0937 2216 OnlineNT (fe3f910425349894f2f158312d2b4931) C:\WINDOWS\system32\drivers\OnlineNT.sys
13:22:36.0953 2216 OnlineNT - ok
13:22:37.0500 2216 P16X (e433c553d00d76fbc616294b60a7a530) C:\WINDOWS\system32\drivers\P16X.sys
13:22:37.0921 2216 P16X - ok
13:22:38.0359 2216 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
13:22:38.0390 2216 Parport - ok
13:22:38.0453 2216 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
13:22:38.0453 2216 PartMgr - ok
13:22:38.0531 2216 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:22:38.0531 2216 ParVdm - ok
13:22:38.0593 2216 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
13:22:38.0609 2216 PCI - ok
13:22:38.0625 2216 PCIDump - ok
13:22:38.0687 2216 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
13:22:38.0703 2216 PCIIde - ok
13:22:38.0781 2216 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:22:38.0828 2216 Pcmcia - ok
13:22:38.0843 2216 PDCOMP - ok
13:22:38.0859 2216 PDFRAME - ok
13:22:38.0875 2216 PDRELI - ok
13:22:38.0890 2216 PDRFRAME - ok
13:22:38.0906 2216 perc2 - ok
13:22:38.0937 2216 perc2hib - ok
13:22:39.0015 2216 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\System32\PfModNT.sys
13:22:39.0031 2216 PfModNT - ok
13:22:39.0125 2216 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
13:22:39.0140 2216 PlugPlay - ok
13:22:39.0218 2216 Pml Driver HPZ12 (9d84376931440f3679beef2a414fa493) C:\WINDOWS\system32\HPZipm12.exe
13:22:39.0265 2216 Pml Driver HPZ12 - ok
13:22:39.0328 2216 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:22:39.0343 2216 PolicyAgent - ok
13:22:39.0421 2216 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:22:39.0453 2216 PptpMiniport - ok
13:22:39.0468 2216 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
13:22:39.0484 2216 Processor - ok
13:22:39.0515 2216 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:22:39.0515 2216 ProtectedStorage - ok
13:22:39.0562 2216 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
13:22:39.0593 2216 PSched - ok
13:22:39.0656 2216 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:22:39.0656 2216 Ptilink - ok
13:22:39.0765 2216 pwd_2k (d8b90616a8bd53de281dbdb664c0984a) C:\WINDOWS\system32\drivers\pwd_2k.sys
13:22:39.0812 2216 pwd_2k - ok
13:22:39.0890 2216 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
13:22:39.0906 2216 PxHelp20 - ok
13:22:39.0921 2216 ql1080 - ok
13:22:39.0937 2216 Ql10wnt - ok
13:22:39.0968 2216 ql12160 - ok
13:22:39.0968 2216 ql1240 - ok
13:22:39.0984 2216 ql1280 - ok
13:22:40.0062 2216 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:22:40.0078 2216 RasAcd - ok
13:22:40.0156 2216 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
13:22:40.0203 2216 RasAuto - ok
13:22:40.0265 2216 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:22:40.0281 2216 Rasl2tp - ok
13:22:40.0406 2216 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
13:22:40.0500 2216 RasMan - ok
13:22:40.0531 2216 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:22:40.0546 2216 RasPppoe - ok
13:22:40.0578 2216 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:22:40.0593 2216 Raspti - ok
13:22:40.0703 2216 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:22:40.0781 2216 Rdbss - ok
13:22:40.0812 2216 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:22:40.0812 2216 RDPCDD - ok
13:22:40.0921 2216 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
13:22:40.0968 2216 RDPWD - ok
13:22:41.0093 2216 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
13:22:41.0187 2216 RDSessMgr - ok
13:22:41.0250 2216 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:22:41.0281 2216 redbook - ok
13:22:41.0359 2216 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
13:22:41.0375 2216 RemoteAccess - ok
13:22:41.0453 2216 RemotePCmirror (2e397936292792a4ba413a397c9f0727) C:\WINDOWS\system32\DRIVERS\RemotePCmirror.sys
13:22:41.0468 2216 RemotePCmirror - ok
13:22:41.0515 2216 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
13:22:41.0515 2216 ROOTMODEM - ok
13:22:41.0609 2216 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\System32\locator.exe
13:22:41.0640 2216 RpcLocator - ok
13:22:41.0843 2216 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
13:22:41.0859 2216 RpcSs - ok
13:22:41.0968 2216 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\System32\rsvp.exe
13:22:42.0031 2216 RSVP - ok
13:22:42.0109 2216 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:22:42.0109 2216 SamSs - ok
13:22:42.0218 2216 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
13:22:42.0250 2216 SCardSvr - ok
13:22:42.0390 2216 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
13:22:42.0468 2216 Schedule - ok
13:22:42.0531 2216 ScreenNT (02f5d6a6ea2ed4dd9a866644db6683c2) C:\WINDOWS\system32\drivers\ScreenNT.sys
13:22:42.0531 2216 ScreenNT - ok
13:22:42.0593 2216 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:22:42.0609 2216 Secdrv - ok
13:22:42.0656 2216 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
13:22:42.0671 2216 seclogon - ok
13:22:42.0750 2216 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
13:22:42.0765 2216 SENS - ok
13:22:42.0828 2216 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:22:42.0843 2216 serenum - ok
13:22:42.0890 2216 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
13:22:42.0921 2216 Serial - ok
13:22:42.0984 2216 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
13:22:43.0000 2216 Sfloppy - ok
13:22:43.0109 2216 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
13:22:43.0125 2216 ShellHWDetection - ok
13:22:43.0140 2216 Simbad - ok
13:22:43.0171 2216 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
13:22:43.0187 2216 SLIP - ok
13:22:43.0250 2216 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
13:22:43.0250 2216 SONYPVU1 - ok
13:22:43.0265 2216 Sparrow - ok
13:22:43.0328 2216 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
13:22:43.0328 2216 splitter - ok
13:22:43.0406 2216 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
13:22:43.0437 2216 Spooler - ok
13:22:43.0484 2216 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
13:22:43.0515 2216 sr - ok
13:22:43.0609 2216 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
13:22:43.0671 2216 srservice - ok
13:22:43.0859 2216 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
13:22:43.0984 2216 Srv - ok
13:22:44.0093 2216 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
13:22:44.0125 2216 SSDPSRV - ok
13:22:44.0296 2216 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
13:22:44.0453 2216 stisvc - ok
13:22:44.0671 2216 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
13:22:44.0750 2216 streamip - ok
13:22:44.0796 2216 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:22:44.0796 2216 swenum - ok
13:22:44.0859 2216 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
13:22:44.0890 2216 swmidi - ok
13:22:44.0906 2216 SwPrv - ok
13:22:44.0921 2216 symc810 - ok
13:22:44.0937 2216 symc8xx - ok
13:22:44.0953 2216 sym_hi - ok
13:22:44.0984 2216 sym_u3 - ok
13:22:45.0046 2216 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
13:22:45.0078 2216 sysaudio - ok
13:22:45.0218 2216 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
13:22:45.0296 2216 SysmonLog - ok
13:22:45.0406 2216 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
13:22:45.0500 2216 TapiSrv - ok
13:22:45.0687 2216 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:22:45.0812 2216 Tcpip - ok
13:22:45.0859 2216 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:22:45.0859 2216 TDPIPE - ok
13:22:45.0906 2216 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
13:22:45.0921 2216 TDTCP - ok
13:22:45.0968 2216 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:22:45.0984 2216 TermDD - ok
13:22:46.0187 2216 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
13:22:46.0296 2216 TermService - ok
13:22:46.0312 2216 TfFsMon - ok
13:22:46.0328 2216 TfNetMon - ok
13:22:46.0343 2216 TfSysMon - ok
13:22:46.0453 2216 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
13:22:46.0468 2216 Themes - ok
13:22:46.0500 2216 TosIde - ok
13:22:46.0578 2216 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
13:22:46.0640 2216 TrkWks - ok
13:22:46.0781 2216 UdfReadr_xp (4e75005b74be901c30f2636df40b0c15) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
13:22:46.0843 2216 UdfReadr_xp - ok
13:22:46.0890 2216 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
13:22:46.0921 2216 Udfs - ok
13:22:46.0937 2216 ultra - ok
13:22:47.0187 2216 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) C:\Program Files\Unlocker\UnlockerDriver5.sys
13:22:47.0296 2216 UnlockerDriver5 - ok
13:22:47.0484 2216 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
13:22:47.0640 2216 Update - ok
13:22:47.0796 2216 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
13:22:47.0875 2216 upnphost - ok
13:22:47.0937 2216 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
13:22:47.0953 2216 UPS - ok
13:22:48.0015 2216 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
13:22:48.0046 2216 USBAAPL - ok
13:22:48.0140 2216 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
13:22:48.0171 2216 usbaudio - ok
13:22:48.0218 2216 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:22:48.0234 2216 usbccgp - ok
13:22:48.0296 2216 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:22:48.0312 2216 usbehci - ok
13:22:48.0359 2216 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:22:48.0390 2216 usbhub - ok
13:22:48.0421 2216 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
13:22:48.0421 2216 usbprint - ok
13:22:48.0453 2216 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
13:22:48.0484 2216 usbscan - ok
13:22:48.0531 2216 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:22:48.0546 2216 USBSTOR - ok
13:22:48.0578 2216 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:22:48.0578 2216 usbuhci - ok
13:22:48.0656 2216 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
13:22:48.0703 2216 usbvideo - ok
13:22:48.0765 2216 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
13:22:48.0781 2216 VgaSave - ok
13:22:48.0796 2216 ViaIde - ok
13:22:48.0843 2216 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
13:22:48.0859 2216 VolSnap - ok
13:22:49.0031 2216 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
13:22:49.0125 2216 VSS - ok
13:22:49.0234 2216 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
13:22:49.0312 2216 W32Time - ok
13:22:49.0406 2216 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:22:49.0421 2216 Wanarp - ok
13:22:49.0437 2216 WDICA - ok
13:22:49.0515 2216 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
13:22:49.0546 2216 wdmaud - ok
13:22:49.0609 2216 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
13:22:49.0656 2216 WebClient - ok
13:22:49.0921 2216 winachsf (b3133dc158e59e80f5498484b0c2d558) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
13:22:50.0140 2216 winachsf - ok
13:22:50.0875 2216 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
13:22:51.0015 2216 winmgmt - ok
13:22:51.0296 2216 WMDM PMSP Service (581176f60885aef8f78c6e38dcc3cdf9) C:\WINDOWS\System32\MsPMSPSv.exe
13:22:51.0328 2216 WMDM PMSP Service - ok
13:22:51.0484 2216 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
13:22:51.0531 2216 WmdmPmSN - ok
13:22:51.0953 2216 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\System32\wbem\wmiapsrv.exe
13:22:52.0046 2216 WmiApSrv - ok
13:22:53.0484 2216 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
13:22:53.0859 2216 WMPNetworkSvc - ok
13:22:54.0359 2216 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
13:22:54.0750 2216 WPFFontCache_v0400 - ok
13:22:55.0046 2216 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
13:22:55.0062 2216 WS2IFSL - ok
13:22:55.0156 2216 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
13:22:55.0250 2216 wscsvc - ok
13:22:55.0296 2216 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
13:22:55.0296 2216 WSTCODEC - ok
13:22:55.0359 2216 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
13:22:55.0375 2216 wuauserv - ok
13:22:55.0453 2216 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:22:55.0468 2216 WudfPf - ok
13:22:55.0531 2216 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:22:55.0562 2216 WudfRd - ok
13:22:55.0609 2216 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
13:22:55.0718 2216 WudfSvc - ok
13:22:56.0156 2216 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
13:22:56.0406 2216 WZCSVC - ok
13:22:56.0593 2216 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
13:22:56.0656 2216 xmlprov - ok
13:22:56.0718 2216 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
13:22:57.0312 2216 \Device\Harddisk0\DR0 - ok
13:22:57.0359 2216 MBR (0x1B8) (66d0b28c8b44e531d0c19f436252abaa) \Device\Harddisk1\DR2
13:22:57.0359 2216 \Device\Harddisk1\DR2 - ok
13:22:57.0390 2216 Boot (0x1200) (f95778b872473d3b9c204ded9bfa7c3d) \Device\Harddisk0\DR0\Partition0
13:22:57.0390 2216 \Device\Harddisk0\DR0\Partition0 - ok
13:22:57.0406 2216 Boot (0x1200) (f25cbd15a4003c49a2d624b42d47bdd5) \Device\Harddisk1\DR2\Partition0
13:22:57.0406 2216 \Device\Harddisk1\DR2\Partition0 - ok
13:22:57.0406 2216 ============================================================
13:22:57.0406 2216 Scan finished
13:22:57.0406 2216 ============================================================
13:22:57.0437 2224 Detected object count: 0
13:22:57.0437 2224 Actual detected object count: 0

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
• Double click on combofix.exe & follow the prompts.

• 
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

• Double-click on the Rkill icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[Phasmos]

OK, downloading the new Combofix. I have to leave for work in about 15 minutes, do you think it best to wait and run it after I get home tonight? I'd hate to start it up and have to leave it running. Is it typically a quick scan?

 

[Broni]

You better run it later.

 

[Phasmos]

Gotcha. OK, thanks for the quick reply and awesome assistance. I hope the computer isn't so sluggish when I fire it up after work...
Anyway, like I said, its definitely running much faster after that "STOP" episode a little while ago. Maybe we stunned the Trojan sucker somehow... Avast is giving useful information again, too (such as asking if I wanted to open ListParts in the "sandbox" first) -- it was in a coma for a while there.
More later! And THANKS!!

 

[Phasmos]

Well, I finally ran Combofix, but the same thing that happened the first time happened again: nothing. I got as far as a screen that said "Scan typically takes 10 minutes, but badly infected machines couldtake twice as long" or something to that effect. Five hours later, nothing had changed.

Also, when I booted the computer up, it seemed to crash - I got a message saying "Windows has encountered a serious problem." This was followed by "Windows has recovered from a serious problem" and a log which read:

Error signature:
BCCode 1000008e BCP1: C0000005 BCP2: F76BE827 BCP3: F75C55F0
BCP4: 00000000 OSVer: 5_1_2600 SP: 3_0 Product: 768_1

Don't know if this is useful to you, but that's what I've experienced most recently. Seems like things are becoming unstable, despite the "normal" computing speed I achieve after the virus has its way with the machine. (Much of this abberant behavior disappears when I unplug the modem, naturally... I guess if the thing can't communicate, it goes off to hide and sulk somewhere.)

What's next? :/

 

[Broni]

From my instructions...

NOTE.
If, for some reason, Combofix refuses to run, try one of the following: