-
April 2nd, 2012, 08:32 PM
#1
[RESOLVED] JS/Iframe Trojan removal
I have a desktop running Win XP SP3 and use MSE as my anti-virus spyware. Today MSE kept sending the alarm about the JS/Iframe trojan and removed it, which required rebooting. After rebooting, the alarm sounded several more times, so I ran an entire system scan, where more viruses were found and removed, During the removal of them the system alarmed again about the JS/Iframe showed again, which was removed and then rebooted.
I have a Netgear WRN3500 wireless router but the JS/Iframe obviously gets past the firewall.
Should I remove the MSE which while detecting the trojan has not been able to block it? And if so, what anti-virus program do you suggest instead. I installed MSE based on recommendations from some of the forum advisers on this site.
Thanks.
-
April 2nd, 2012, 09:30 PM
#2
Please, complete all steps listed here: http://discussions.virtualdr.com/sho...d.php?t=167915
Please, observe following rules:
- Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
- If you're stuck, or you're not sure about certain step, always ask before doing anything else.
- Please refrain from running tools or applying updates other than those I suggest.
- Never run more than one scan at a time.
- Keep updating me regarding your computer behavior, good, or bad.
- The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
- If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
- I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
-
April 3rd, 2012, 03:01 PM
#3
Broni,
Thanks..
This site only allows 50000 characters and the first log alone is more than 111000.
Here's the DDS file:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 11:51:08 on 2012-04-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.1889 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://sfbay.craigslist.org/
uInternet Settings,ProxyOverride = localhost
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorun
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10c.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250772743734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9883A5CB-8C28-4770-BD90-15721BE5DF86} : DhcpNameServer = 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ufnvxy8g.default\
FF - prefs.js: browser.startup.homepage - www.sfbay.craigslist.org
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z039&form=ZGAADF&q=
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2009-8-16 119808]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-5-3 40560]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-4-17 13496]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl52807c57;MpKsl52807c57;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f523bc0-c861-40b0-8318-3cb70787f34f}\MpKsl52807c57.sys [2012-4-3 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-7 116608]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-12-19 47640]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-10-16 652360]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848]
R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2010-9-21 36224]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-16 20464]
S1 dpzizbof;dpzizbof;\??\c:\windows\system32\drivers\dpzizbof.sys --> c:\windows\system32\drivers\dpzizbof.sys [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2010-9-29 1527900]
S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\samsung\samsung ml-2510 series\spanel\ssmsrvc /service --> c:\program files\samsung\samsung ml-2510 series\spanel\ssmsrvc [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2010-9-21 134912]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
UnknownUnknown nksummmt;nksummmt; [x]
.
=============== Created Last 30 ================
.
2012-04-03 18:45:18 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f523bc0-c861-40b0-8318-3cb70787f34f}\MpKsl52807c57.sys
2012-04-03 18:37:27 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f523bc0-c861-40b0-8318-3cb70787f34f}\mpengine.dll
2012-03-22 19:12:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-15 21:12:34 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-03-14 20:32:05 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-11 02:02:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
==================== Find3M ====================
.
2012-03-11 02:02:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 11:51:45.26 ===============
-
April 3rd, 2012, 03:03 PM
#4
Here's the DDS.txt file:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/16/2009 9:41:02 PM
System Uptime: 4/3/2012 11:24:39 AM (0 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA69GM-S2H
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ | Socket M2 | 2405/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 263.834 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 112 GiB total, 101.489 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP603: 12/31/2011 4:21:31 PM - Software Distribution Service 3.0
RP604: 1/1/2012 7:27:38 PM - Software Distribution Service 3.0
RP605: 1/2/2012 4:03:50 PM - Software Distribution Service 3.0
RP606: 1/2/2012 6:19:43 PM - Revo Uninstaller's restore point - Spotify
RP607: 1/2/2012 6:21:31 PM - Revo Uninstaller's restore point - Best Uninstall Tool
RP608: 1/2/2012 6:22:34 PM - Revo Uninstaller's restore point - Eraser 5.8.7
RP609: 1/4/2012 10:18:20 AM - Software Distribution Service 3.0
RP610: 1/5/2012 10:51:57 AM - Software Distribution Service 3.0
RP611: 1/6/2012 11:03:10 AM - Software Distribution Service 3.0
RP612: 1/6/2012 3:23:49 PM - Software Distribution Service 3.0
RP613: 1/6/2012 4:37:23 PM - Installed QuickTime
RP614: 1/7/2012 3:54:05 PM - Software Distribution Service 3.0
RP615: 1/9/2012 10:50:33 AM - Software Distribution Service 3.0
RP616: 1/9/2012 4:42:14 PM - Software Distribution Service 3.0
RP617: 1/10/2012 2:38:20 PM - Revo Uninstaller's restore point - The Secret Code of Abundance
RP618: 1/11/2012 11:07:20 AM - Software Distribution Service 3.0
RP619: 1/11/2012 6:05:17 PM - Software Distribution Service 3.0
RP620: 1/12/2012 5:00:29 PM - Software Distribution Service 3.0
RP621: 1/13/2012 10:45:03 AM - Software Distribution Service 3.0
RP622: 1/14/2012 11:17:15 AM - Software Distribution Service 3.0
RP623: 1/16/2012 10:47:53 AM - Software Distribution Service 3.0
RP624: 1/16/2012 3:52:36 PM - Software Distribution Service 3.0
RP625: 1/17/2012 4:23:21 PM - Software Distribution Service 3.0
RP626: 1/18/2012 4:02:22 PM - Installed inSSIDer 2.0
RP627: 1/18/2012 4:04:06 PM - Revo Uninstaller's restore point - inSSIDer 2.0
RP628: 1/18/2012 4:04:17 PM - Removed inSSIDer 2.0
RP629: 1/18/2012 5:29:17 PM - Software Distribution Service 3.0
RP630: 1/19/2012 9:43:17 AM - Revo Uninstaller's restore point - Advanced SystemCare 5
RP631: 1/20/2012 10:58:51 AM - Software Distribution Service 3.0
RP632: 1/21/2012 3:41:32 PM - Software Distribution Service 3.0
RP633: 1/23/2012 11:06:31 AM - Software Distribution Service 3.0
RP634: 1/24/2012 3:31:25 PM - System Checkpoint
RP635: 1/25/2012 10:26:40 AM - Software Distribution Service 3.0
RP636: 1/25/2012 11:28:22 AM - Software Distribution Service 3.0
RP637: 1/26/2012 11:40:37 AM - Software Distribution Service 3.0
RP638: 1/27/2012 3:37:59 PM - Software Distribution Service 3.0
RP639: 1/28/2012 5:09:57 PM - Software Distribution Service 3.0
RP640: 1/30/2012 10:23:23 AM - Software Distribution Service 3.0
RP641: 1/31/2012 10:54:47 AM - Software Distribution Service 3.0
RP642: 2/1/2012 12:14:38 PM - Software Distribution Service 3.0
RP643: 2/2/2012 12:50:50 PM - System Checkpoint
RP644: 2/2/2012 2:47:51 PM - Software Distribution Service 3.0
RP645: 2/3/2012 3:39:07 PM - Software Distribution Service 3.0
RP646: 2/4/2012 4:05:57 PM - Software Distribution Service 3.0
RP647: 2/6/2012 1:59:42 PM - Software Distribution Service 3.0
RP648: 2/8/2012 10:55:53 AM - Software Distribution Service 3.0
RP649: 2/9/2012 11:01:22 AM - Software Distribution Service 3.0
RP650: 2/10/2012 3:41:51 PM - Software Distribution Service 3.0
RP651: 2/13/2012 11:14:26 AM - Software Distribution Service 3.0
RP652: 2/14/2012 1:27:01 PM - Software Distribution Service 3.0
RP653: 2/14/2012 4:06:40 PM - Software Distribution Service 3.0
RP654: 2/15/2012 10:32:07 AM - Software Distribution Service 3.0
RP655: 2/16/2012 12:08:19 PM - Software Distribution Service 3.0
RP656: 2/17/2012 1:20:33 PM - Software Distribution Service 3.0
RP657: 2/17/2012 4:06:43 PM - Software Distribution Service 3.0
RP658: 2/18/2012 4:12:18 PM - Software Distribution Service 3.0
RP659: 2/19/2012 4:38:32 PM - Software Distribution Service 3.0
RP660: 2/21/2012 11:01:29 AM - Software Distribution Service 3.0
RP661: 2/22/2012 11:56:33 AM - System Checkpoint
RP662: 2/22/2012 4:35:19 PM - Software Distribution Service 3.0
RP663: 2/23/2012 8:21:29 PM - Software Distribution Service 3.0
RP664: 2/25/2012 8:58:07 AM - Software Distribution Service 3.0
RP665: 2/26/2012 4:42:09 PM - Software Distribution Service 3.0
RP666: 2/27/2012 5:05:05 PM - Software Distribution Service 3.0
RP667: 2/28/2012 1:02:17 PM - Software Distribution Service 3.0
RP668: 2/29/2012 2:24:09 PM - System Checkpoint
RP669: 3/1/2012 9:39:59 AM - Software Distribution Service 3.0
RP670: 3/3/2012 10:38:44 AM - Software Distribution Service 3.0
RP671: 3/4/2012 11:19:28 AM - Software Distribution Service 3.0
RP672: 3/5/2012 4:10:50 PM - Software Distribution Service 3.0
RP673: 3/7/2012 10:30:37 AM - Software Distribution Service 3.0
RP674: 3/8/2012 10:56:24 AM - Software Distribution Service 3.0
RP675: 3/9/2012 4:33:50 PM - Software Distribution Service 3.0
RP676: 3/10/2012 11:19:16 AM - Software Distribution Service 3.0
RP677: 3/10/2012 7:02:13 PM - Removed Java(TM) 6 Update 24
RP678: 3/11/2012 4:28:29 PM - Software Distribution Service 3.0
RP679: 3/13/2012 10:06:28 AM - Software Distribution Service 3.0
RP680: 3/14/2012 9:48:10 AM - Revo Uninstaller's restore point - Free Window Registry Repair
RP681: 3/14/2012 11:32:48 AM - Revo Uninstaller's restore point - RegScrubXP 3.25
RP682: 3/14/2012 1:21:25 PM - Revo Uninstaller's restore point - Microsoft Security Essentials
RP683: 3/14/2012 1:23:47 PM - Software Distribution Service 3.0
RP684: 3/14/2012 1:33:09 PM - Software Distribution Service 3.0
RP685: 3/15/2012 2:12:14 PM - Software Distribution Service 3.0
RP686: 3/17/2012 11:00:36 AM - Software Distribution Service 3.0
RP687: 3/18/2012 5:15:34 PM - Software Distribution Service 3.0
RP688: 3/19/2012 5:51:39 PM - Software Distribution Service 3.0
RP689: 3/21/2012 10:50:55 AM - Software Distribution Service 3.0
RP690: 3/22/2012 12:55:46 PM - System Checkpoint
RP691: 3/23/2012 11:11:09 AM - Software Distribution Service 3.0
RP692: 3/24/2012 12:48:40 PM - Revo Uninstaller's restore point - Diagram Designer
RP693: 3/24/2012 12:51:00 PM - Revo Uninstaller's restore point - Face2Face Classroom v2.0.4.W w/ SG 1.6
RP694: 3/25/2012 4:26:29 PM - Software Distribution Service 3.0
RP695: 3/26/2012 6:16:46 PM - Software Distribution Service 3.0
RP696: 3/28/2012 10:38:47 AM - Software Distribution Service 3.0
RP697: 3/29/2012 11:23:50 AM - Software Distribution Service 3.0
RP698: 3/30/2012 3:00:28 PM - Software Distribution Service 3.0
RP699: 3/31/2012 5:29:51 PM - Software Distribution Service 3.0
RP700: 4/1/2012 5:48:38 PM - System Checkpoint
RP701: 4/2/2012 11:15:33 AM - Software Distribution Service 3.0
RP702: 4/3/2012 11:37:19 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
4Media ISO Creator
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.4.4
Adobe Shockwave Player 11.5
AMD Processor Driver
Apple Application Support
Apple Software Update
ArcSoft MediaImpression for Kodak
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
BurnAware Free 3.0 beta 9
Cablenut 4.08
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Compatibility Pack for the 2007 Office system
CutePDF Writer 2.8
Dropbox
Dual-Core Optimizer
Encompass360 NetBranch Installation Manager
erLT
Firebird SQL Server - MAGIX Edition
Flash Saving Plugin
Foxit Reader
Google Chrome
Google Talk Plugin
GoToMeeting 4.5.0.457
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImgBurn
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 31
jZip
Logitech Harmony Remote Software 7
Logitech iTouch Software
Logitech MouseWare 9.70
Logitech SetPoint 6.15
Logitech Webcam Software Driver Package
macProVideo.com NED Player
MAGIX 3D Maker (embeded)
MAGIX Movie Edit Pro 15 Plus Download version 8.0.5.8 (UK)
MAGIX Screenshare 4.3.6.1987 (UK)
Malwarebytes Anti-Malware version 1.60.1.1000
MeridianLink Site Security Certificate
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MindMaster
Mozilla Firefox 6.0 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OGA Notifier 2.0.0048.0
Paragon Drive Backup™ 9.5 Professional Edition
PhotoScape
Picasa 3
QuickTime
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Remote Control USB Driver
Revo Uninstaller 1.93
Samsung CLP-310 Series
Samsung ML-2510 Series
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Skins
Skype™ 5.5
Smart Defrag 2
SmartPack 1.19.0
StartupMonitor
SUPERAntiSpyware
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.1.11
WebEx
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
XBMC Media Center
.
==== Event Viewer Messages From Past Week ========
.
3/31/2012 5:18:30 PM, error: Dhcp [1002] - The IP address lease 192.168.1.6 for the Network Card with network address 001D7D9336E1 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
3/28/2012 10:28:06 AM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 001D7D9336E1 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
3/27/2012 10:12:01 AM, error: ACPI [12] - AMLI: ACPI BIOS is attempting to create an illegal memory OpRegion, starting at address 0x0, with a length of 0x1000. This region lies in the Operating system's protected memory address range (0x0 - 0x9f800). This could lead to system instability. Please contact your system vendor for technical assistance.
3/27/2012 10:11:57 AM, error: Service Control Manager [7000] - The SSPORT service failed to start due to the following error: The system cannot find the file specified.
3/27/2012 10:11:57 AM, error: Service Control Manager [7000] - The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the path specified.
.
==== End Of File ===========================
-
April 3rd, 2012, 03:05 PM
#5
Here's the Gmer.log ,Part I:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-03 11:23:58
Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Scsi\ahcix861Port2Path0Target0Lun0 ST332062 rev.1.10
Running: 898rvbti.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pgliqpoc.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB70DB000, 0x1C5D58, 0xE8000020]
init C:\WINDOWS\System32\Drivers\ArcRec.SYS entry point in "init" section [0xBA5B3138]
---- User code sections - GMER 1.0.15 ----
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 21, 00] {SUB [EAX], AL; AND [EAX], EAX}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 21, 00] {SUB [EBX], AL; AND [EAX], EAX}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 21, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 21, 00] {TEST AL, 0x1; AND [EAX], EAX}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90F71A
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 21, 00] {TEST AL, 0x2; AND [EAX], EAX}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 21, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 21, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90F78B
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 21, 00] {TEST AL, 0x0; AND [EAX], EAX}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90F8B9
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 21, 00] {SUB [ECX], AL; AND [EAX], EAX}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 21, 00] {SUB [EDX], AL; AND [EAX], EAX}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 21, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 18, 00] {SUB [EAX], AL; SBB [EAX], AL}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 18, 00] {SUB [EBX], AL; SBB [EAX], AL}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 18, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 18, 00] {TEST AL, 0x1; SBB [EAX], AL}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EE1A
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 18, 00] {TEST AL, 0x2; SBB [EAX], AL}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 18, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 18, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EE8B
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 18, 00] {TEST AL, 0x0; SBB [EAX], AL}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EFB9
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 18, 00] {SUB [ECX], AL; SBB [EAX], AL}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 18, 00] {SUB [EDX], AL; SBB [EAX], AL}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 18, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 23, 00] {SUB [EAX], AL; AND EAX, [EAX]}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 23, 00] {SUB [EBX], AL; AND EAX, [EAX]}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 23, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 23, 00] {TEST AL, 0x1; AND EAX, [EAX]}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90F91A
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 23, 00] {TEST AL, 0x2; AND EAX, [EAX]}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 23, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 23, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90F98B
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 23, 00] {TEST AL, 0x0; AND EAX, [EAX]}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90FAB9
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 23, 00] {SUB [ECX], AL; AND EAX, [EAX]}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 23, 00] {SUB [EDX], AL; AND EAX, [EAX]}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 23, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 55, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 55, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 55, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 55, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B912B1A
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 55, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 55, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 55, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B912B8B
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 55, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B912CB9
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 55, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 55, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 55, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 24, 00] {SUB [EAX], AL; AND AL, 0x0}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 24, 00] {SUB [EBX], AL; AND AL, 0x0}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 24, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 24, 00] {TEST AL, 0x1; AND AL, 0x0}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90FA1A
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 24, 00] {TEST AL, 0x2; AND AL, 0x0}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 24, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 24, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90FA8B
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 24, 00] {TEST AL, 0x0; AND AL, 0x0}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90FBB9
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 24, 00] {SUB [ECX], AL; AND AL, 0x0}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 24, 00] {SUB [EDX], AL; AND AL, 0x0}
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 24, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 2D, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 2D, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 2D, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 2D, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91031A
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 2D, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 2D, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 2D, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91038B
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 2D, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9104B9
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 2D, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 2D, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 2D, 00]
.text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
-
April 3rd, 2012, 03:08 PM
#6
Here's the Gmer log, Part II:
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00380010
IAT C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002F0010
IAT C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002D0010
IAT C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 003A0010
IAT C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 006C0010
IAT C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 003B0010
IAT C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00580010
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@ Wireless
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@ProcessGroupPolicy ProcessWIRELESSPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@DllName gptext.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@ Folder Redirection
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@ProcessGroupPolicyEx ProcessGroupPolicyEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@DllName fdeploy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoMachinePolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoSlowLink 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@PerUserLocalSettings 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoGPOListChanges 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoBackgroundPolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@GenerateGroupPolicy GenerateGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@EventSources (Folder Redirection,Application)?
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}@Status 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}@RsopStatus 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}@LastPolicyTime 15586841
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}@PrevSlowLink 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}@PrevRsopLogging 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}@ForceRefreshFG 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@ Microsoft Disk Quota
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoMachinePolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoSlowLink 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoBackgroundPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@PerUserLocalSettings 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@RequiresSuccessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@EnableAsynchronousProcessing 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@DllName dskquota.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@ProcessGroupPolicy ProcessGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@ QoS Packet Scheduler
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@ProcessGroupPolicy ProcessPSCHEDPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@DllName gptext.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@ Scripts
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@ProcessGroupPolicy ProcessScriptsGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@ProcessGroupPolicyEx ProcessScriptsGroupPolicyEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@GenerateGroupPolicy GenerateScriptsGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@DllName gptext.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@NoSlowLink 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@NotifyLinkTransition 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@ Internet Explorer Zonemapping
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@DllName C:\WINDOWS\system32\iedkcs32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@ProcessGroupPolicy ProcessGroupPolicyForZoneMap
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@RequiresSucessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@DisplayName @C:\WINDOWS\system32\iedkcs32.dll.mui,-3051
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@RequiresSuccessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@ Internet Explorer User Accelerators
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@DisplayName @C:\WINDOWS\system32\iedkcs32.dll.mui,-3051
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@DllName C:\WINDOWS\system32\iedkcs32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@ProcessGroupPolicy ProcessGroupPolicyForActivities
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@ProcessGroupPolicyEx ProcessGroupPolicyForActivitiesEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@RequiresSuccessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicy SceProcessSecurityPolicyGPO
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@GenerateGroupPolicy SceGenerateGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ExtensionRsopPlanningDebugLevel 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicyEx SceProcessSecurityPolicyGPOEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ExtensionDebugLevel 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@DllName scecli.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ Security
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@EnableAsynchronousProcessing 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@MaxNoGPOListChangesInterval 960
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@ProcessGroupPolicyEx ProcessGroupPolicyEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@GenerateGroupPolicy GenerateGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@ProcessGroupPolicy ProcessGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@DllName C:\WINDOWS\system32\iedkcs32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@ Internet Explorer Branding
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoSlowLink 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoBackgroundPolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoMachinePolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@DisplayName @C:\WINDOWS\system32\iedkcs32.dll.mui,-3014
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicy SceProcessEFSRecoveryGPO
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@DllName scecli.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@ EFS recovery
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@RequiresSuccessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@Status 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@RsopStatus -2147024846
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@LastPolicyTime 15586841
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@PrevSlowLink 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@PrevRsopLogging 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@ForceRefreshFG 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@ 802.3 Group Policy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@DisplayName @dot3gpclnt.dll,-100
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@ProcessGroupPolicyEx ProcessLANPolicyEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@GenerateGroupPolicy GenerateLANPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@DllName dot3gpclnt.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@ Microsoft Offline Files
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@DllName %SystemRoot%\System32\cscui.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@EnableAsynchronousProcessing 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoBackgroundPolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoGPOListChanges 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoMachinePolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoSlowLink 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@PerUserLocalSettings 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@ProcessGroupPolicy ProcessGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@RequiresSuccessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@ Software Installation
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@DllName appmgmts.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@ProcessGroupPolicyEx ProcessGroupPolicyObjectsEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@GenerateGroupPolicy GenerateGroupPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@NoBackgroundPolicy 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@RequiresSucessfulRegistry 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@NoSlowLink 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@PerUserLocalSettings 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@EventSources (Application Management,Application)?(MsiInstaller,Application)?
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@ Internet Explorer Machine Accelerators
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@DisplayName @C:\WINDOWS\system32\iedkcs32.dll.mui,-3051
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@DllName C:\WINDOWS\system32\iedkcs32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@NoGPOListChanges 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@ProcessGroupPolicy ProcessGroupPolicyForActivities
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@ProcessGroupPolicyEx ProcessGroupPolicyForActivitiesEx
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@RequiresSuccessfulRegistry 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@ IP Security
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@ProcessGroupPolicy ProcessIPSECPolicy
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@DllName gptext.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@NoUserPolicy 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@NoGPOListChanges 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@DllName C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logon SABWINLOLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logoff SABWINLOLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Startup SABWINLOStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Shutdown SABWINLOShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@DLLName Ati2evxx.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Lock AtiLockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Logoff AtiLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Logon AtiLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Disconnect AtiDisConnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Reconnect AtiReConnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Safe 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Shutdown AtiShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@StartScreenSaver AtiStartScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@StartShell AtiStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Startup AtiStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@StopScreenSaver AtiStopScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Unlock AtiUnLockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@DllName crypt32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Logoff ChainWlxLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@DllName cryptnet.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Logoff CryptnetWlxLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@DLLName cscdll.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logon WinlogonLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logoff WinlogonLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@ScreenSaver WinlogonScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Startup WinlogonStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Shutdown WinlogonShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@StartShell WinlogonStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@DllName %SystemRoot%\System32\dimsntfy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Startup WlDimsStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Shutdown WlDimsShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logon WlDimsLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logoff WlDimsLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@StartShell WlDimsStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Lock WlDimsLock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Unlock WlDimsUnlock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn@DLLName c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn@Startup OnStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn@Logon OnLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn@StartShell OnStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn@Logoff OnLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn@Shutdown OnShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn\Event
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn\Event@Logon LBTWLgn_LOGON
-
April 3rd, 2012, 03:08 PM
#7
Here's the Gmer.log, Part III:
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn\Event@StartShell LBTWLgn_STARTSHELL
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@DllName LMIinit.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Lock WLEventLock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Logoff WLEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Logon WLEventLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Shutdown WLEventShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@StartScreenSaver WLEventStartScreenSaver
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@StartShell WLEventStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Startup WLEventStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@StopScreenSaver WLEventStopScreenSaver
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Unlock WLEventUnlock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@DLLName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logon SCardStartCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logoff SCardStopCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Lock SCardSuspendCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Unlock SCardResumeCertProp
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Enabled 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@DllName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@StartShell SchedStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Logoff SchedEventLogOff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Logoff WLEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@DllName sclgntfy.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@DLLName WlNotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Lock SensLockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logon SensLogonEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logoff SensLogoffEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Safe 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@MaxWait 600
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartScreenSaver SensStartScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StopScreenSaver SensStopScreenSaverEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Startup SensStartupEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Shutdown SensShutdownEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartShell SensStartShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@PostShell SensPostShellEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Disconnect SensDisconnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Reconnect SensReconnectEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Unlock SensUnlockEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@DllName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Impersonate 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logoff TSEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logon TSEventLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@PostShell TSEventPostShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Shutdown TSEventShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@StartShell TSEventStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Startup TSEventStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@MaxWait 600
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Reconnect TSEventReconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Disconnect TSEventDisconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Logon WLEventLogon
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Logoff WLEventLogoff
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Startup WLEventStartup
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Shutdown WLEventShutdown
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@StartScreenSaver WLEventStartScreenSaver
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@StopScreenSaver WLEventStopScreenSaver
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Lock WLEventLock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Unlock WLEventUnlock
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@StartShell WLEventStartShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@PostShell WLEventPostShell
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Disconnect WLEventDisconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Reconnect WLEventReconnect
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Asynchronous 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@SafeMode 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@MaxWait -1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@DllName WgaLogon.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Event 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@InstallEvent 1.9.0040.0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings@
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings@Data 0x01 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@DLLName wlnotify.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logon RegisterTicketExpiredNotificationEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logoff UnregisterTicketExpiredNotificationEvent
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Impersonate 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Asynchronous 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@HelpAssistant 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@TsInternetUser 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@SQLAgentCmdExec 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@NetShowServices 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@IWAM_ 65536
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@IUSR_ 65536
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@VUSR_ 65536
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@LogMeInRemoteUser 0
---- EOF - GMER 1.0.15 ----
-
April 3rd, 2012, 03:10 PM
#8
Here's the ASWMBR.txt log:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-03 11:45:17
-----------------------------
11:45:17.765 OS Version: Windows 5.1.2600 Service Pack 3
11:45:17.765 Number of processors: 2 586 0x4B02
11:45:17.765 ComputerName: COMPUTER UserName:
11:45:18.734 Initialize success
11:45:32.531 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
11:45:32.531 Disk 0 Vendor: ST3120022A 3.04 Size: 114472MB BusType: 3
11:45:32.531 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Scsi\ahcix861Port2Path0Target0Lun0
11:45:32.531 Disk 1 Vendor: ST332062 1.10 Size: 305244MB BusType: 1
11:45:32.531 Disk 1 MBR read successfully
11:45:32.531 Disk 1 MBR scan
11:45:32.531 Disk 1 Windows XP default MBR code
11:45:32.546 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305234 MB offset 63
11:45:32.546 Disk 1 scanning sectors +625121280
11:45:32.609 Disk 1 scanning C:\WINDOWS\system32\drivers
11:45:38.281 Service scanning
11:45:42.671 Service MpKsl52807c57 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F523BC0-C861-40B0-8318-3CB70787F34F}\MpKsl52807c57.sys **LOCKED** 32
11:45:47.093 Modules scanning
11:45:51.796 Disk 1 trace - called modules:
11:45:51.812 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS ahcix86.sys
11:45:51.812 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8a964ab8]
11:45:51.812 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000069[0x8a9c4920]
11:45:51.812 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Scsi\ahcix861Port2Path0Target0Lun0[0x8a9c4a38]
11:45:51.828 Scan finished successfully
11:46:32.437 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
11:46:32.468 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
-
April 3rd, 2012, 05:51 PM
#9
Since the JS/Iframe notice kept coming up with MSE installed, I removed it and replaced with Avast and then did a full scan. Avast found 63 infections which have been removed so clearly after having done a full scan with MSE, Avast has proven to be superior, not to mention the fact that it scanned the entire system in less than HALF the time MSE took.
Will intend that Avast has removed the JS/Iframe trojan too.. Time will tell.
-
April 3rd, 2012, 06:04 PM
#10
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- Never rename Combofix unless instructed.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
- Double click on combofix.exe & follow the prompts.
- NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- When finished, it will produce a report for you.
- Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.
Make sure, you re-enable your security programs, when you're done with Combofix.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTE.
If, for some reason, Combofix refuses to run, try one of the following:
1. Run Combofix from Safe Mode.
2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
* Rkill.com
* Rkill.scr
* Rkill.exe- Double-click on the Rkill icon to run the tool.
- If using Vista or Windows 7 right-click on it and choose Run As Administrator.
- A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
- If not, delete the file, then download and use the one provided in Link 2.
- If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
- Do not reboot until instructed.
- If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.
If normal mode still doesn't work, run BOTH tools from safe mode.
In case #2, please post BOTH logs, rKill and Combofix.
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
-
April 3rd, 2012, 07:25 PM
#11
Broni.. Since you didn't explain what you saw after reviewing the logs, nor what Combo Fix does, I'm presuming that you feel its important to install and run rather than assume that Avast has removed the problem. I haven't seen the warning pop up, but I will follow your instructions anyway.
Thanks.
-
April 3rd, 2012, 07:28 PM
#12
Yes, we need to run several checks to make sure noting is hiding.
-
April 3rd, 2012, 07:41 PM
#13
OK.. have completed the ComboFix procedure and restarted the system. Avast is working fine and I can only assume that the problem has been fixed. Thanks for the help.
-
April 3rd, 2012, 07:49 PM
#14
It doesn't work that way.
Please re-read rules I posted at the beginning of this topic and act accordingly:
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
I need to see Combofix log.
-
April 3rd, 2012, 07:57 PM
#15
Broni.. Sorry.. here it is below:
ComboFix 12-04-03.02 - Administrator 04/03/2012 16:31:02.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2330 [GMT -7:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\searchplugins\bing-zugo.xml
c:\documents and settings\Administrator\g2mdlhlpx.exe
c:\documents and settings\Administrator\Local Settings\Application Data\{E570ACC0-095D-4DAD-BCA6-15EA0BAA8282}
c:\documents and settings\Administrator\Local Settings\Application Data\{E570ACC0-095D-4DAD-BCA6-15EA0BAA8282}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{E570ACC0-095D-4DAD-BCA6-15EA0BAA8282}\install.rdf
c:\documents and settings\Administrator\System
c:\documents and settings\Administrator\System\win_qs8.jqx
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
.
((((((((((((((((((((((((( Files Created from 2012-03-03 to 2012-04-03 )))))))))))))))))))))))))))))))
.
.
2012-04-03 20:34 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-04-03 20:34 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-04-03 20:34 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-04-03 20:34 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-04-03 20:34 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-04-03 20:34 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-04-03 20:34 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-04-03 20:34 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-04-03 20:33 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-04-03 20:33 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-04-03 20:33 . 2012-04-03 20:33 -------- d-----w- c:\program files\AVAST Software
2012-04-03 20:33 . 2012-04-03 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-11 02:03 . 2012-03-11 02:03 -------- d-----w- c:\program files\Common Files\Java
2012-03-11 02:02 . 2012-03-11 02:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-11 02:02 . 2011-03-11 23:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:22 . 2008-04-14 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2011-03-20 23:14 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 19:06 . 2012-02-15 17:04 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2009-08-17 04:35 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2009-12-22 22:29 . 2009-12-22 22:29 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-12-22 22:29 . 2009-12-22 22:29 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-12-22 22:29 . 2009-12-22 22:29 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-09-13 06:05 . 2009-09-13 06:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-09-13 06:06 . 2009-09-13 06:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-09-13 06:06 . 2009-09-13 06:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-09-13 06:06 . 2009-09-13 06:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-09-13 06:06 . 2009-09-13 06:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-09-13 06:07 . 2009-09-13 06:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-09-13 06:06 . 2009-09-13 06:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-09-13 06:06 . 2009-09-13 06:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-12-22 22:29 . 2009-12-22 22:29 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
2009-08-14 20:33 . 2009-08-14 20:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-09-13 06:06 . 2009-09-13 06:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-08-22 17:35 . 2011-03-22 18:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-08-17 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2008-08-08 524288]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-03 113024]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
"4100:UDP"= 4100:UDP:uPNP Router Control Port
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [8/16/2009 8:26 PM 119808]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [5/3/2010 3:45 PM 40560]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [4/17/2011 3:39 PM 13496]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/3/2012 1:34 PM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/3/2012 1:34 PM 337880]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 6:13 PM 65584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/7/2010 10:02 AM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2012 1:34 PM 20696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/16/2009 7:37 AM 652360]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\Logishrd\LVMVFM\UMVPFSrv.exe [8/19/2011 10:26 AM 450848]
R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [9/21/2010 10:03 AM 36224]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/16/2009 7:37 AM 20464]
S1 dpzizbof;dpzizbof;\??\c:\windows\system32\drivers\dpzizbof.sys --> c:\windows\system32\drivers\dpzizbof.sys [?]
S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [9/29/2010 5:07 PM 1527900]
S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service --> c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]
S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [9/21/2010 10:03 AM 134912]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ArcRec
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://sfbay.craigslist.org/
uInternet Settings,ProxyOverride = localhost
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\
FF - prefs.js: browser.startup.homepage - www.sfbay.craigslist.org
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z039&form=ZGAADF&q=
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-SolutoService
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-03 16:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_sugo3_FUService]
"ImagePath"="\"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-117609710-764733703-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,56,27,b4,78,92,0e,43,9c,2a,93,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,56,27,b4,78,92,0e,43,9c,2a,93,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
@DACL=(02 0000)
"Status"=dword:00000000
"RsopStatus"=dword:00000000
"LastPolicyTime"=dword:00edd619
"PrevSlowLink"=dword:00000000
"PrevRsopLogging"=dword:00000001
"ForceRefreshFG"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
"Status"=dword:00000000
"RsopStatus"=dword:80070032
"LastPolicyTime"=dword:00edd619
"PrevSlowLink"=dword:00000000
"PrevRsopLogging"=dword:00000001
"ForceRefreshFG"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
@DACL=(02 0000)
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
@DACL=(02 0000)
"DLLName"="c:\\program files\\common files\\logishrd\\bluetooth\\LBTWlgn.dll"
"Asynchronous"=dword:00000000
"Startup"="OnStartup"
"Logon"="OnLogon"
"StartShell"="OnStartShell"
"Logoff"="OnLogoff"
"Shutdown"="OnShutdown"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"LMIinit.dll"
"Impersonate"=dword:00000000
"Lock"="WLEventLock"
"Logoff"="WLEventLogoff"
"Logon"="WLEventLogon"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StartShell"="WLEventStartShell"
"Startup"="WLEventStartup"
"StopScreenSaver"="WLEventStopScreenSaver"
"Unlock"="WLEventUnlock"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
@DACL=(02 0000)
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=expand:"WgaLogon.dll"
"Event"=dword:00000000
"InstallEvent"="1.9.0040.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"LogMeInRemoteUser"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1988)
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\l3codeca.acm
.
Completion time: 2012-04-03 16:36:13
ComboFix-quarantined-files.txt 2012-04-03 23:36
.
Pre-Run: 283,015,110,656 bytes free
Post-Run: 283,411,382,272 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 112E0F0B8A32EC6E9E76C60CA4A5E568
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|