[RESOLVED] JS/Iframe Trojan removal
Page 1 of 3 123 LastLast
Results 1 to 15 of 43

Thread: [RESOLVED] JS/Iframe Trojan removal

  1. #1
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233

    Resolved [RESOLVED] JS/Iframe Trojan removal

    I have a desktop running Win XP SP3 and use MSE as my anti-virus spyware. Today MSE kept sending the alarm about the JS/Iframe trojan and removed it, which required rebooting. After rebooting, the alarm sounded several more times, so I ran an entire system scan, where more viruses were found and removed, During the removal of them the system alarmed again about the JS/Iframe showed again, which was removed and then rebooted.

    I have a Netgear WRN3500 wireless router but the JS/Iframe obviously gets past the firewall.

    Should I remove the MSE which while detecting the trojan has not been able to block it? And if so, what anti-virus program do you suggest instead. I installed MSE based on recommendations from some of the forum advisers on this site.

    Thanks.

  2. #2
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Please, complete all steps listed here: http://discussions.virtualdr.com/sho...d.php?t=167915

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

  3. #3
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    Broni,

    Thanks..

    This site only allows 50000 characters and the first log alone is more than 111000.

    Here's the DDS file:

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
    Run by Administrator at 11:51:08 on 2012-04-03
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.1889 [GMT -7:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Logitech\SetPointP\SetPoint.exe
    C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
    svchost.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://sfbay.craigslist.org/
    uInternet Settings,ProxyOverride = localhost
    mWinlogon: Userinit=c:\windows\system32\userinit.exe
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
    mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
    mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
    mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorun
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10c.exe
    uPolicies-explorer: NoInstrumentation = 1 (0x1)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250772743734
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{9883A5CB-8C28-4770-BD90-15721BE5DF86} : DhcpNameServer = 192.168.1.1
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\ufnvxy8g.default\
    FF - prefs.js: browser.startup.homepage - www.sfbay.craigslist.org
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z039&form=ZGAADF&q=
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: browser.cache.memory.capacity - 65536
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.interrupt.parsing - true
    FF - user.js: content.max.tokenizing.time - 2250000
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 750000
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 0
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    FF - user.js: yahoo.homepage.dontask - true
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2009-8-16 119808]
    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-5-3 40560]
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-4-17 13496]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
    R1 MpKsl52807c57;MpKsl52807c57;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f523bc0-c861-40b0-8318-3cb70787f34f}\MpKsl52807c57.sys [2012-4-3 29904]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-7 116608]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-12-19 47640]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-10-16 652360]
    R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-8-19 450848]
    R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [2010-9-21 36224]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-10-16 20464]
    S1 dpzizbof;dpzizbof;\??\c:\windows\system32\drivers\dpzizbof.sys --> c:\windows\system32\drivers\dpzizbof.sys [?]
    S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
    S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2010-9-29 1527900]
    S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\samsung\samsung ml-2510 series\spanel\ssmsrvc /service --> c:\program files\samsung\samsung ml-2510 series\spanel\ssmsrvc [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
    S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [2010-9-21 134912]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]
    UnknownUnknown nksummmt;nksummmt; [x]
    .
    =============== Created Last 30 ================
    .
    2012-04-03 18:45:18 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f523bc0-c861-40b0-8318-3cb70787f34f}\MpKsl52807c57.sys
    2012-04-03 18:37:27 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8f523bc0-c861-40b0-8318-3cb70787f34f}\mpengine.dll
    2012-03-22 19:12:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
    2012-03-15 21:12:34 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2012-03-14 20:32:05 -------- d-----w- c:\program files\Microsoft Security Client
    2012-03-11 02:02:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
    .
    ==================== Find3M ====================
    .
    2012-03-11 02:02:41 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    .
    ============= FINISH: 11:51:45.26 ===============

  4. #4
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    Here's the DDS.txt file:


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 8/16/2009 9:41:02 PM
    System Uptime: 4/3/2012 11:24:39 AM (0 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA69GM-S2H
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ | Socket M2 | 2405/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 298 GiB total, 263.834 GiB free.
    D: is CDROM ()
    E: is FIXED (NTFS) - 112 GiB total, 101.489 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP603: 12/31/2011 4:21:31 PM - Software Distribution Service 3.0
    RP604: 1/1/2012 7:27:38 PM - Software Distribution Service 3.0
    RP605: 1/2/2012 4:03:50 PM - Software Distribution Service 3.0
    RP606: 1/2/2012 6:19:43 PM - Revo Uninstaller's restore point - Spotify
    RP607: 1/2/2012 6:21:31 PM - Revo Uninstaller's restore point - Best Uninstall Tool
    RP608: 1/2/2012 6:22:34 PM - Revo Uninstaller's restore point - Eraser 5.8.7
    RP609: 1/4/2012 10:18:20 AM - Software Distribution Service 3.0
    RP610: 1/5/2012 10:51:57 AM - Software Distribution Service 3.0
    RP611: 1/6/2012 11:03:10 AM - Software Distribution Service 3.0
    RP612: 1/6/2012 3:23:49 PM - Software Distribution Service 3.0
    RP613: 1/6/2012 4:37:23 PM - Installed QuickTime
    RP614: 1/7/2012 3:54:05 PM - Software Distribution Service 3.0
    RP615: 1/9/2012 10:50:33 AM - Software Distribution Service 3.0
    RP616: 1/9/2012 4:42:14 PM - Software Distribution Service 3.0
    RP617: 1/10/2012 2:38:20 PM - Revo Uninstaller's restore point - The Secret Code of Abundance
    RP618: 1/11/2012 11:07:20 AM - Software Distribution Service 3.0
    RP619: 1/11/2012 6:05:17 PM - Software Distribution Service 3.0
    RP620: 1/12/2012 5:00:29 PM - Software Distribution Service 3.0
    RP621: 1/13/2012 10:45:03 AM - Software Distribution Service 3.0
    RP622: 1/14/2012 11:17:15 AM - Software Distribution Service 3.0
    RP623: 1/16/2012 10:47:53 AM - Software Distribution Service 3.0
    RP624: 1/16/2012 3:52:36 PM - Software Distribution Service 3.0
    RP625: 1/17/2012 4:23:21 PM - Software Distribution Service 3.0
    RP626: 1/18/2012 4:02:22 PM - Installed inSSIDer 2.0
    RP627: 1/18/2012 4:04:06 PM - Revo Uninstaller's restore point - inSSIDer 2.0
    RP628: 1/18/2012 4:04:17 PM - Removed inSSIDer 2.0
    RP629: 1/18/2012 5:29:17 PM - Software Distribution Service 3.0
    RP630: 1/19/2012 9:43:17 AM - Revo Uninstaller's restore point - Advanced SystemCare 5
    RP631: 1/20/2012 10:58:51 AM - Software Distribution Service 3.0
    RP632: 1/21/2012 3:41:32 PM - Software Distribution Service 3.0
    RP633: 1/23/2012 11:06:31 AM - Software Distribution Service 3.0
    RP634: 1/24/2012 3:31:25 PM - System Checkpoint
    RP635: 1/25/2012 10:26:40 AM - Software Distribution Service 3.0
    RP636: 1/25/2012 11:28:22 AM - Software Distribution Service 3.0
    RP637: 1/26/2012 11:40:37 AM - Software Distribution Service 3.0
    RP638: 1/27/2012 3:37:59 PM - Software Distribution Service 3.0
    RP639: 1/28/2012 5:09:57 PM - Software Distribution Service 3.0
    RP640: 1/30/2012 10:23:23 AM - Software Distribution Service 3.0
    RP641: 1/31/2012 10:54:47 AM - Software Distribution Service 3.0
    RP642: 2/1/2012 12:14:38 PM - Software Distribution Service 3.0
    RP643: 2/2/2012 12:50:50 PM - System Checkpoint
    RP644: 2/2/2012 2:47:51 PM - Software Distribution Service 3.0
    RP645: 2/3/2012 3:39:07 PM - Software Distribution Service 3.0
    RP646: 2/4/2012 4:05:57 PM - Software Distribution Service 3.0
    RP647: 2/6/2012 1:59:42 PM - Software Distribution Service 3.0
    RP648: 2/8/2012 10:55:53 AM - Software Distribution Service 3.0
    RP649: 2/9/2012 11:01:22 AM - Software Distribution Service 3.0
    RP650: 2/10/2012 3:41:51 PM - Software Distribution Service 3.0
    RP651: 2/13/2012 11:14:26 AM - Software Distribution Service 3.0
    RP652: 2/14/2012 1:27:01 PM - Software Distribution Service 3.0
    RP653: 2/14/2012 4:06:40 PM - Software Distribution Service 3.0
    RP654: 2/15/2012 10:32:07 AM - Software Distribution Service 3.0
    RP655: 2/16/2012 12:08:19 PM - Software Distribution Service 3.0
    RP656: 2/17/2012 1:20:33 PM - Software Distribution Service 3.0
    RP657: 2/17/2012 4:06:43 PM - Software Distribution Service 3.0
    RP658: 2/18/2012 4:12:18 PM - Software Distribution Service 3.0
    RP659: 2/19/2012 4:38:32 PM - Software Distribution Service 3.0
    RP660: 2/21/2012 11:01:29 AM - Software Distribution Service 3.0
    RP661: 2/22/2012 11:56:33 AM - System Checkpoint
    RP662: 2/22/2012 4:35:19 PM - Software Distribution Service 3.0
    RP663: 2/23/2012 8:21:29 PM - Software Distribution Service 3.0
    RP664: 2/25/2012 8:58:07 AM - Software Distribution Service 3.0
    RP665: 2/26/2012 4:42:09 PM - Software Distribution Service 3.0
    RP666: 2/27/2012 5:05:05 PM - Software Distribution Service 3.0
    RP667: 2/28/2012 1:02:17 PM - Software Distribution Service 3.0
    RP668: 2/29/2012 2:24:09 PM - System Checkpoint
    RP669: 3/1/2012 9:39:59 AM - Software Distribution Service 3.0
    RP670: 3/3/2012 10:38:44 AM - Software Distribution Service 3.0
    RP671: 3/4/2012 11:19:28 AM - Software Distribution Service 3.0
    RP672: 3/5/2012 4:10:50 PM - Software Distribution Service 3.0
    RP673: 3/7/2012 10:30:37 AM - Software Distribution Service 3.0
    RP674: 3/8/2012 10:56:24 AM - Software Distribution Service 3.0
    RP675: 3/9/2012 4:33:50 PM - Software Distribution Service 3.0
    RP676: 3/10/2012 11:19:16 AM - Software Distribution Service 3.0
    RP677: 3/10/2012 7:02:13 PM - Removed Java(TM) 6 Update 24
    RP678: 3/11/2012 4:28:29 PM - Software Distribution Service 3.0
    RP679: 3/13/2012 10:06:28 AM - Software Distribution Service 3.0
    RP680: 3/14/2012 9:48:10 AM - Revo Uninstaller's restore point - Free Window Registry Repair
    RP681: 3/14/2012 11:32:48 AM - Revo Uninstaller's restore point - RegScrubXP 3.25
    RP682: 3/14/2012 1:21:25 PM - Revo Uninstaller's restore point - Microsoft Security Essentials
    RP683: 3/14/2012 1:23:47 PM - Software Distribution Service 3.0
    RP684: 3/14/2012 1:33:09 PM - Software Distribution Service 3.0
    RP685: 3/15/2012 2:12:14 PM - Software Distribution Service 3.0
    RP686: 3/17/2012 11:00:36 AM - Software Distribution Service 3.0
    RP687: 3/18/2012 5:15:34 PM - Software Distribution Service 3.0
    RP688: 3/19/2012 5:51:39 PM - Software Distribution Service 3.0
    RP689: 3/21/2012 10:50:55 AM - Software Distribution Service 3.0
    RP690: 3/22/2012 12:55:46 PM - System Checkpoint
    RP691: 3/23/2012 11:11:09 AM - Software Distribution Service 3.0
    RP692: 3/24/2012 12:48:40 PM - Revo Uninstaller's restore point - Diagram Designer
    RP693: 3/24/2012 12:51:00 PM - Revo Uninstaller's restore point - Face2Face Classroom v2.0.4.W w/ SG 1.6
    RP694: 3/25/2012 4:26:29 PM - Software Distribution Service 3.0
    RP695: 3/26/2012 6:16:46 PM - Software Distribution Service 3.0
    RP696: 3/28/2012 10:38:47 AM - Software Distribution Service 3.0
    RP697: 3/29/2012 11:23:50 AM - Software Distribution Service 3.0
    RP698: 3/30/2012 3:00:28 PM - Software Distribution Service 3.0
    RP699: 3/31/2012 5:29:51 PM - Software Distribution Service 3.0
    RP700: 4/1/2012 5:48:38 PM - System Checkpoint
    RP701: 4/2/2012 11:15:33 AM - Software Distribution Service 3.0
    RP702: 4/3/2012 11:37:19 AM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    4Media ISO Creator
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.4.4
    Adobe Shockwave Player 11.5
    AMD Processor Driver
    Apple Application Support
    Apple Software Update
    ArcSoft MediaImpression for Kodak
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    BurnAware Free 3.0 beta 9
    Cablenut 4.08
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon G.726 WMP-Decoder
    CANON iMAGE GATEWAY Task for ZoomBrowser EX
    Canon Internet Library for ZoomBrowser EX
    Canon MovieEdit Task for ZoomBrowser EX
    Canon RAW Image Task for ZoomBrowser EX
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC
    Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
    Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    Canon Utilities EOS Utility
    Canon Utilities MyCamera
    Canon Utilities MyCamera DC
    Canon Utilities PhotoStitch
    Canon Utilities RemoteCapture DC
    Canon Utilities RemoteCapture Task for ZoomBrowser EX
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center HydraVision Full
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help English
    CCleaner
    Citrix online plug-in - web
    Citrix online plug-in (DV)
    Citrix online plug-in (HDX)
    Citrix online plug-in (USB)
    Citrix online plug-in (Web)
    Compatibility Pack for the 2007 Office system
    CutePDF Writer 2.8
    Dropbox
    Dual-Core Optimizer
    Encompass360 NetBranch Installation Manager
    erLT
    Firebird SQL Server - MAGIX Edition
    Flash Saving Plugin
    Foxit Reader
    Google Chrome
    Google Talk Plugin
    GoToMeeting 4.5.0.457
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    ImgBurn
    IrfanView (remove only)
    Java Auto Updater
    Java(TM) 6 Update 31
    jZip
    Logitech Harmony Remote Software 7
    Logitech iTouch Software
    Logitech MouseWare 9.70
    Logitech SetPoint 6.15
    Logitech Webcam Software Driver Package
    macProVideo.com NED Player
    MAGIX 3D Maker (embeded)
    MAGIX Movie Edit Pro 15 Plus Download version 8.0.5.8 (UK)
    MAGIX Screenshare 4.3.6.1987 (UK)
    Malwarebytes Anti-Malware version 1.60.1.1000
    MeridianLink Site Security Certificate
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Office File Validation Add-In
    Microsoft Office Professional Edition 2003
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MindMaster
    Mozilla Firefox 6.0 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    OGA Notifier 2.0.0048.0
    Paragon Drive Backup™ 9.5 Professional Edition
    PhotoScape
    Picasa 3
    QuickTime
    REALTEK GbE & FE Ethernet PCI NIC Driver
    Realtek High Definition Audio Driver
    Remote Control USB Driver
    Revo Uninstaller 1.93
    Samsung CLP-310 Series
    Samsung ML-2510 Series
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2621440)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2641653)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2647518)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Skins
    Skype™ 5.5
    Smart Defrag 2
    SmartPack 1.19.0
    StartupMonitor
    SUPERAntiSpyware
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Windows (KB971513)
    Update for Windows Internet Explorer 8 (KB2447568)
    Update for Windows Internet Explorer 8 (KB2598845)
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2492386)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VLC media player 1.1.11
    WebEx
    WebFldrs XP
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Genuine Advantage Notifications (KB905474)
    Windows Internet Explorer 8
    Windows Management Framework Core
    Windows Media Format 11 runtime
    Windows Media Player 11
    XBMC Media Center
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/31/2012 5:18:30 PM, error: Dhcp [1002] - The IP address lease 192.168.1.6 for the Network Card with network address 001D7D9336E1 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    3/28/2012 10:28:06 AM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 001D7D9336E1 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    3/27/2012 10:12:01 AM, error: ACPI [12] - AMLI: ACPI BIOS is attempting to create an illegal memory OpRegion, starting at address 0x0, with a length of 0x1000. This region lies in the Operating system's protected memory address range (0x0 - 0x9f800). This could lead to system instability. Please contact your system vendor for technical assistance.
    3/27/2012 10:11:57 AM, error: Service Control Manager [7000] - The SSPORT service failed to start due to the following error: The system cannot find the file specified.
    3/27/2012 10:11:57 AM, error: Service Control Manager [7000] - The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the path specified.
    .
    ==== End Of File ===========================

  5. #5
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    Here's the Gmer.log ,Part I:


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-04-03 11:23:58
    Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Scsi\ahcix861Port2Path0Target0Lun0 ST332062 rev.1.10
    Running: 898rvbti.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pgliqpoc.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB70DB000, 0x1C5D58, 0xE8000020]
    init C:\WINDOWS\System32\Drivers\ArcRec.SYS entry point in "init" section [0xBA5B3138]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 21, 00] {SUB [EAX], AL; AND [EAX], EAX}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 21, 00] {SUB [EBX], AL; AND [EAX], EAX}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 21, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 21, 00] {TEST AL, 0x1; AND [EAX], EAX}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90F71A
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 21, 00] {TEST AL, 0x2; AND [EAX], EAX}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 21, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 21, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90F78B
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 21, 00] {TEST AL, 0x0; AND [EAX], EAX}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90F8B9
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 21, 00] {SUB [ECX], AL; AND [EAX], EAX}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 21, 00] {SUB [EDX], AL; AND [EAX], EAX}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 21, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 18, 00] {SUB [EAX], AL; SBB [EAX], AL}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 18, 00] {SUB [EBX], AL; SBB [EAX], AL}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 18, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 18, 00] {TEST AL, 0x1; SBB [EAX], AL}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EE1A
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 18, 00] {TEST AL, 0x2; SBB [EAX], AL}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 18, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 18, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EE8B
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 18, 00] {TEST AL, 0x0; SBB [EAX], AL}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EFB9
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 18, 00] {SUB [ECX], AL; SBB [EAX], AL}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 18, 00] {SUB [EDX], AL; SBB [EAX], AL}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 18, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 23, 00] {SUB [EAX], AL; AND EAX, [EAX]}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 23, 00] {SUB [EBX], AL; AND EAX, [EAX]}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 23, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 23, 00] {TEST AL, 0x1; AND EAX, [EAX]}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90F91A
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 23, 00] {TEST AL, 0x2; AND EAX, [EAX]}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 23, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 23, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90F98B
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 23, 00] {TEST AL, 0x0; AND EAX, [EAX]}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90FAB9
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 23, 00] {SUB [ECX], AL; AND EAX, [EAX]}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 23, 00] {SUB [EDX], AL; AND EAX, [EAX]}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 23, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 55, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 55, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 55, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 55, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B912B1A
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 55, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 55, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 55, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B912B8B
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 55, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B912CB9
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 55, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 55, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 55, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 24, 00] {SUB [EAX], AL; AND AL, 0x0}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 24, 00] {SUB [EBX], AL; AND AL, 0x0}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 24, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 24, 00] {TEST AL, 0x1; AND AL, 0x0}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90FA1A
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 24, 00] {TEST AL, 0x2; AND AL, 0x0}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 24, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 24, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90FA8B
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 24, 00] {TEST AL, 0x0; AND AL, 0x0}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90FBB9
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 24, 00] {SUB [ECX], AL; AND AL, 0x0}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 24, 00] {SUB [EDX], AL; AND AL, 0x0}
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 24, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 2D, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 2D, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 2D, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 2D, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91031A
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 2D, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 2D, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 2D, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91038B
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 2D, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9104B9
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 2D, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 2D, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 2D, 00]
    .text C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

  6. #6
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    Here's the Gmer log, Part II:

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[548] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00380010
    IAT C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[604] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002F0010
    IAT C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[612] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002D0010
    IAT C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[656] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 003A0010
    IAT C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[724] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 006C0010
    IAT C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1872] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 003B0010
    IAT C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2252] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00580010

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@ Wireless
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@ProcessGroupPolicy ProcessWIRELESSPolicy
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@DllName gptext.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@NoUserPolicy 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}@NoGPOListChanges 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@ Folder Redirection
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@ProcessGroupPolicyEx ProcessGroupPolicyEx
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@DllName fdeploy.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoMachinePolicy 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoSlowLink 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@PerUserLocalSettings 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoGPOListChanges 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@NoBackgroundPolicy 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@GenerateGroupPolicy GenerateGroupPolicy
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}@EventSources (Folder Redirection,Application)?
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}@Status 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}@RsopStatus 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}@LastPolicyTime 15586841
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}@PrevSlowLink 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}@PrevRsopLogging 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}@ForceRefreshFG 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@ Microsoft Disk Quota
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoMachinePolicy 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoUserPolicy 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoSlowLink 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoBackgroundPolicy 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@NoGPOListChanges 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@PerUserLocalSettings 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@RequiresSuccessfulRegistry 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@EnableAsynchronousProcessing 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@DllName dskquota.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}@ProcessGroupPolicy ProcessGroupPolicy
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@ QoS Packet Scheduler
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@ProcessGroupPolicy ProcessPSCHEDPolicy
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@DllName gptext.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@NoUserPolicy 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}@NoGPOListChanges 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@ Scripts
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@ProcessGroupPolicy ProcessScriptsGroupPolicy
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@ProcessGroupPolicyEx ProcessScriptsGroupPolicyEx
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@GenerateGroupPolicy GenerateScriptsGroupPolicy
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@DllName gptext.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@NoSlowLink 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@NoGPOListChanges 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}@NotifyLinkTransition 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@ Internet Explorer Zonemapping
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@DllName C:\WINDOWS\system32\iedkcs32.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@ProcessGroupPolicy ProcessGroupPolicyForZoneMap
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@NoGPOListChanges 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@RequiresSucessfulRegistry 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@DisplayName @C:\WINDOWS\system32\iedkcs32.dll.mui,-3051
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}@RequiresSuccessfulRegistry 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@ Internet Explorer User Accelerators
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@DisplayName @C:\WINDOWS\system32\iedkcs32.dll.mui,-3051
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@DllName C:\WINDOWS\system32\iedkcs32.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@NoGPOListChanges 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@ProcessGroupPolicy ProcessGroupPolicyForActivities
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@ProcessGroupPolicyEx ProcessGroupPolicyForActivitiesEx
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}@RequiresSuccessfulRegistry 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicy SceProcessSecurityPolicyGPO
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@GenerateGroupPolicy SceGenerateGroupPolicy
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ExtensionRsopPlanningDebugLevel 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicyEx SceProcessSecurityPolicyGPOEx
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ExtensionDebugLevel 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@DllName scecli.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@ Security
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@NoUserPolicy 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@NoGPOListChanges 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@EnableAsynchronousProcessing 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}@MaxNoGPOListChangesInterval 960
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@ProcessGroupPolicyEx ProcessGroupPolicyEx
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@GenerateGroupPolicy GenerateGroupPolicy
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@ProcessGroupPolicy ProcessGroupPolicy
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@DllName C:\WINDOWS\system32\iedkcs32.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@ Internet Explorer Branding
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoSlowLink 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoBackgroundPolicy 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoGPOListChanges 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@NoMachinePolicy 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}@DisplayName @C:\WINDOWS\system32\iedkcs32.dll.mui,-3014
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@ProcessGroupPolicy SceProcessEFSRecoveryGPO
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@DllName scecli.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@ EFS recovery
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@NoUserPolicy 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@NoGPOListChanges 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@RequiresSuccessfulRegistry 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@Status 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@RsopStatus -2147024846
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@LastPolicyTime 15586841
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@PrevSlowLink 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@PrevRsopLogging 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}@ForceRefreshFG 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@ 802.3 Group Policy
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@DisplayName @dot3gpclnt.dll,-100
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@ProcessGroupPolicyEx ProcessLANPolicyEx
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@GenerateGroupPolicy GenerateLANPolicy
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@DllName dot3gpclnt.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@NoUserPolicy 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}@NoGPOListChanges 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@ Microsoft Offline Files
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@DllName %SystemRoot%\System32\cscui.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@EnableAsynchronousProcessing 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoBackgroundPolicy 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoGPOListChanges 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoMachinePolicy 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoSlowLink 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@NoUserPolicy 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@PerUserLocalSettings 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@ProcessGroupPolicy ProcessGroupPolicy
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}@RequiresSuccessfulRegistry 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@ Software Installation
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@DllName appmgmts.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@ProcessGroupPolicyEx ProcessGroupPolicyObjectsEx
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@GenerateGroupPolicy GenerateGroupPolicy
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@NoBackgroundPolicy 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@RequiresSucessfulRegistry 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@NoSlowLink 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@PerUserLocalSettings 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}@EventSources (Application Management,Application)?(MsiInstaller,Application)?
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@ Internet Explorer Machine Accelerators
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@DisplayName @C:\WINDOWS\system32\iedkcs32.dll.mui,-3051
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@DllName C:\WINDOWS\system32\iedkcs32.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@NoGPOListChanges 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@ProcessGroupPolicy ProcessGroupPolicyForActivities
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@ProcessGroupPolicyEx ProcessGroupPolicyForActivitiesEx
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}@RequiresSuccessfulRegistry 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@ IP Security
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@ProcessGroupPolicy ProcessIPSECPolicy
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@DllName gptext.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@NoUserPolicy 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}@NoGPOListChanges 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@DllName C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logon SABWINLOLogon
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Logoff SABWINLOLogoff
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Startup SABWINLOStartup
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Shutdown SABWINLOShutdown
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Asynchronous 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon@Impersonate 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@DLLName Ati2evxx.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Asynchronous 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Impersonate 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Lock AtiLockEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Logoff AtiLogoffEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Logon AtiLogonEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Disconnect AtiDisConnectEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Reconnect AtiReConnectEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Safe 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Shutdown AtiShutdownEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@StartScreenSaver AtiStartScreenSaverEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@StartShell AtiStartShellEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Startup AtiStartupEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@StopScreenSaver AtiStopScreenSaverEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent@Unlock AtiUnLockEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Asynchronous 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Impersonate 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@DllName crypt32.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain@Logoff ChainWlxLogoffEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Asynchronous 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Impersonate 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@DllName cryptnet.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet@Logoff CryptnetWlxLogoffEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@DLLName cscdll.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logon WinlogonLogonEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Logoff WinlogonLogoffEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@ScreenSaver WinlogonScreenSaverEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Startup WinlogonStartupEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Shutdown WinlogonShutdownEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@StartShell WinlogonStartShellEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Impersonate 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll@Asynchronous 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Asynchronous 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@DllName %SystemRoot%\System32\dimsntfy.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Startup WlDimsStartup
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Shutdown WlDimsShutdown
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logon WlDimsLogon
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Logoff WlDimsLogoff
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@StartShell WlDimsStartShell
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Lock WlDimsLock
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy@Unlock WlDimsUnlock
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn@DLLName c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn@Asynchronous 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn@Startup OnStartup
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn@Logon OnLogon
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn@StartShell OnStartShell
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn@Logoff OnLogoff
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn@Shutdown OnShutdown
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn\Event
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn\Event@Logon LBTWLgn_LOGON

  7. #7
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    Here's the Gmer.log, Part III:

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn\Event@StartShell LBTWLgn_STARTSHELL
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Asynchronous 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@DllName LMIinit.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Impersonate 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Lock WLEventLock
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Logoff WLEventLogoff
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Logon WLEventLogon
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Shutdown WLEventShutdown
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@StartScreenSaver WLEventStartScreenSaver
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@StartShell WLEventStartShell
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Startup WLEventStartup
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@StopScreenSaver WLEventStopScreenSaver
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit@Unlock WLEventUnlock
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@DLLName wlnotify.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logon SCardStartCertProp
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Logoff SCardStopCertProp
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Lock SCardSuspendCertProp
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Unlock SCardResumeCertProp
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Enabled 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Impersonate 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp@Asynchronous 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Asynchronous 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@DllName wlnotify.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Impersonate 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@StartShell SchedStartShell
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule@Logoff SchedEventLogOff
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Logoff WLEventLogoff
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Impersonate 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@Asynchronous 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy@DllName sclgntfy.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@DLLName WlNotify.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Lock SensLockEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logon SensLogonEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Logoff SensLogoffEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Safe 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@MaxWait 600
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartScreenSaver SensStartScreenSaverEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StopScreenSaver SensStopScreenSaverEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Startup SensStartupEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Shutdown SensShutdownEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@StartShell SensStartShellEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@PostShell SensPostShellEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Disconnect SensDisconnectEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Reconnect SensReconnectEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Unlock SensUnlockEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Impersonate 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn@Asynchronous 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Asynchronous 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@DllName wlnotify.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Impersonate 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logoff TSEventLogoff
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Logon TSEventLogon
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@PostShell TSEventPostShell
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Shutdown TSEventShutdown
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@StartShell TSEventStartShell
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Startup TSEventStartup
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@MaxWait 600
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Reconnect TSEventReconnect
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv@Disconnect TSEventDisconnect
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Logon WLEventLogon
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Logoff WLEventLogoff
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Startup WLEventStartup
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Shutdown WLEventShutdown
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@StartScreenSaver WLEventStartScreenSaver
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@StopScreenSaver WLEventStopScreenSaver
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Lock WLEventLock
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Unlock WLEventUnlock
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@StartShell WLEventStartShell
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@PostShell WLEventPostShell
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Disconnect WLEventDisconnect
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Reconnect WLEventReconnect
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Impersonate 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Asynchronous 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@SafeMode 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@MaxWait -1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@DllName WgaLogon.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@Event 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon@InstallEvent 1.9.0040.0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings@
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings@Data 0x01 0x00 0x00 0x00 ...
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@DLLName wlnotify.dll
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logon RegisterTicketExpiredNotificationEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Logoff UnregisterTicketExpiredNotificationEvent
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Impersonate 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon@Asynchronous 1
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@HelpAssistant 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@TsInternetUser 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@SQLAgentCmdExec 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@NetShowServices 0
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@IWAM_ 65536
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@IUSR_ 65536
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@VUSR_ 65536
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList@LogMeInRemoteUser 0

    ---- EOF - GMER 1.0.15 ----

  8. #8
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    Here's the ASWMBR.txt log:


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-04-03 11:45:17
    -----------------------------
    11:45:17.765 OS Version: Windows 5.1.2600 Service Pack 3
    11:45:17.765 Number of processors: 2 586 0x4B02
    11:45:17.765 ComputerName: COMPUTER UserName:
    11:45:18.734 Initialize success
    11:45:32.531 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
    11:45:32.531 Disk 0 Vendor: ST3120022A 3.04 Size: 114472MB BusType: 3
    11:45:32.531 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Scsi\ahcix861Port2Path0Target0Lun0
    11:45:32.531 Disk 1 Vendor: ST332062 1.10 Size: 305244MB BusType: 1
    11:45:32.531 Disk 1 MBR read successfully
    11:45:32.531 Disk 1 MBR scan
    11:45:32.531 Disk 1 Windows XP default MBR code
    11:45:32.546 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305234 MB offset 63
    11:45:32.546 Disk 1 scanning sectors +625121280
    11:45:32.609 Disk 1 scanning C:\WINDOWS\system32\drivers
    11:45:38.281 Service scanning
    11:45:42.671 Service MpKsl52807c57 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8F523BC0-C861-40B0-8318-3CB70787F34F}\MpKsl52807c57.sys **LOCKED** 32
    11:45:47.093 Modules scanning
    11:45:51.796 Disk 1 trace - called modules:
    11:45:51.812 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS ahcix86.sys
    11:45:51.812 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8a964ab8]
    11:45:51.812 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000069[0x8a9c4920]
    11:45:51.812 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Scsi\ahcix861Port2Path0Target0Lun0[0x8a9c4a38]
    11:45:51.828 Scan finished successfully
    11:46:32.437 Disk 1 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
    11:46:32.468 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

  9. #9
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    Since the JS/Iframe notice kept coming up with MSE installed, I removed it and replaced with Avast and then did a full scan. Avast found 63 infections which have been removed so clearly after having done a full scan with MSE, Avast has proven to be superior, not to mention the fact that it scanned the entire system in less than HALF the time MSE took.

    Will intend that Avast has removed the JS/Iframe trojan too.. Time will tell.

  10. #10
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.

    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"

    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

  11. #11
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    Broni.. Since you didn't explain what you saw after reviewing the logs, nor what Combo Fix does, I'm presuming that you feel its important to install and run rather than assume that Avast has removed the problem. I haven't seen the warning pop up, but I will follow your instructions anyway.

    Thanks.

  12. #12
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Yes, we need to run several checks to make sure noting is hiding.

  13. #13
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    OK.. have completed the ComboFix procedure and restarted the system. Avast is working fine and I can only assume that the problem has been fixed. Thanks for the help.

  14. #14
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    It doesn't work that way.
    Please re-read rules I posted at the beginning of this topic and act accordingly:
    The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    I need to see Combofix log.

  15. #15
    Join Date
    Jun 2004
    Location
    Mill Valley, CA
    Posts
    233
    Broni.. Sorry.. here it is below:


    ComboFix 12-04-03.02 - Administrator 04/03/2012 16:31:02.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2330 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\searchplugins\bing-zugo.xml
    c:\documents and settings\Administrator\g2mdlhlpx.exe
    c:\documents and settings\Administrator\Local Settings\Application Data\{E570ACC0-095D-4DAD-BCA6-15EA0BAA8282}
    c:\documents and settings\Administrator\Local Settings\Application Data\{E570ACC0-095D-4DAD-BCA6-15EA0BAA8282}\chrome\content\overlay.xul
    c:\documents and settings\Administrator\Local Settings\Application Data\{E570ACC0-095D-4DAD-BCA6-15EA0BAA8282}\install.rdf
    c:\documents and settings\Administrator\System
    c:\documents and settings\Administrator\System\win_qs8.jqx
    c:\documents and settings\All Users\Application Data\TEMP
    c:\program files\Search Toolbar
    c:\program files\Search Toolbar\icon.ico
    c:\program files\Search Toolbar\SearchToolbarUninstall.exe
    c:\program files\Search Toolbar\SearchToolbarUpdater.exe
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-03 to 2012-04-03 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-03 20:34 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-04-03 20:34 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-04-03 20:34 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-04-03 20:34 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-04-03 20:34 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-04-03 20:34 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2012-04-03 20:34 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2012-04-03 20:34 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2012-04-03 20:33 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
    2012-04-03 20:33 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-04-03 20:33 . 2012-04-03 20:33 -------- d-----w- c:\program files\AVAST Software
    2012-04-03 20:33 . 2012-04-03 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
    2012-03-11 02:03 . 2012-03-11 02:03 -------- d-----w- c:\program files\Common Files\Java
    2012-03-11 02:02 . 2012-03-11 02:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-11 02:02 . 2011-03-11 23:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-02-03 09:22 . 2008-04-14 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
    2012-01-31 12:44 . 2011-03-20 23:14 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-01-11 19:06 . 2012-02-15 17:04 3072 ------w- c:\windows\system32\iacenc.dll
    2012-01-09 16:20 . 2009-08-17 04:35 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2009-12-22 22:29 . 2009-12-22 22:29 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2009-12-22 22:29 . 2009-12-22 22:29 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2009-12-22 22:29 . 2009-12-22 22:29 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2009-09-13 06:05 . 2009-09-13 06:05 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
    2009-09-13 06:06 . 2009-09-13 06:06 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
    2009-09-13 06:06 . 2009-09-13 06:06 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
    2009-09-13 06:06 . 2009-09-13 06:06 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
    2009-09-13 06:06 . 2009-09-13 06:06 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
    2009-09-13 06:07 . 2009-09-13 06:07 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
    2009-09-13 06:06 . 2009-09-13 06:06 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
    2009-09-13 06:06 . 2009-09-13 06:06 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
    2009-12-22 22:29 . 2009-12-22 22:29 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll
    2009-08-14 20:33 . 2009-08-14 20:33 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
    2009-09-13 06:06 . 2009-09-13 06:06 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
    2011-08-22 17:35 . 2011-03-22 18:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2009-08-17 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2010-10-06 23:36 94208 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
    "zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
    "Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2008-08-08 524288]
    "RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-03 113024]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Documents and Settings\\Administrator\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
    "4100:UDP"= 4100:UDP:uPNP Router Control Port
    "5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
    .
    R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [8/16/2009 8:26 PM 119808]
    R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [5/3/2010 3:45 PM 40560]
    R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [4/17/2011 3:39 PM 13496]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/3/2012 1:34 PM 612184]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/3/2012 1:34 PM 337880]
    R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [9/8/2009 6:13 PM 65584]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 11:25 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/7/2010 10:02 AM 116608]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2012 1:34 PM 20696]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/16/2009 7:37 AM 652360]
    R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\Logishrd\LVMVFM\UMVPFSrv.exe [8/19/2011 10:26 AM 450848]
    R3 ArcCD;ArcCD Filter Driver Service;c:\windows\system32\drivers\ArcCD.sys [9/21/2010 10:03 AM 36224]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/16/2009 7:37 AM 20464]
    S1 dpzizbof;dpzizbof;\??\c:\windows\system32\drivers\dpzizbof.sys --> c:\windows\system32\drivers\dpzizbof.sys [?]
    S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
    S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [9/29/2010 5:07 PM 1527900]
    S3 SM_sugo3_FUService;sugo3 Status Monitor Service;"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service --> c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc [?]
    S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:00 AM 14336]
    S4 ArcUdfs;ArcUdfs FileSystem Driver Service;c:\windows\system32\drivers\ArcUdfs.sys [9/21/2010 10:03 AM 134912]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - ArcRec
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://sfbay.craigslist.org/
    uInternet Settings,ProxyOverride = localhost
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ufnvxy8g.default\
    FF - prefs.js: browser.startup.homepage - www.sfbay.craigslist.org
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z039&form=ZGAADF&q=
    FF - user.js: browser.cache.memory.capacity - 65536
    FF - user.js: browser.chrome.favicons - false
    FF - user.js: browser.display.show_image_placeholders - true
    FF - user.js: browser.turbo.enabled - true
    FF - user.js: browser.urlbar.autocomplete.enabled - true
    FF - user.js: browser.urlbar.autofill - true
    FF - user.js: content.interrupt.parsing - true
    FF - user.js: content.max.tokenizing.time - 2250000
    FF - user.js: content.notify.backoffcount - 5
    FF - user.js: content.notify.interval - 750000
    FF - user.js: content.notify.ontimer - true
    FF - user.js: content.switch.threshold - 750000
    FF - user.js: network.http.max-connections - 48
    FF - user.js: network.http.max-connections-per-server - 16
    FF - user.js: network.http.max-persistent-connections-per-proxy - 16
    FF - user.js: network.http.max-persistent-connections-per-server - 8
    FF - user.js: network.http.pipelining - true
    FF - user.js: network.http.pipelining.firstrequest - true
    FF - user.js: network.http.pipelining.maxrequests - 8
    FF - user.js: network.http.proxy.pipelining - true
    FF - user.js: network.http.request.max-start-delay - 0
    FF - user.js: nglayout.initialpaint.delay - 0
    FF - user.js: plugin.expose_full_path - true
    FF - user.js: ui.submenuDelay - 0
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    SafeBoot-SolutoService
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-04-03 16:34
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_sugo3_FUService]
    "ImagePath"="\"c:\program files\Samsung\Samsung ML-2510 Series\SPanel\ssmsrvc /Service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-117609710-764733703-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,56,27,b4,78,92,0e,43,9c,2a,93,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e4,56,27,b4,78,92,0e,43,9c,2a,93,\
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
    @DACL=(02 0000)
    @="Wireless"
    "ProcessGroupPolicy"="ProcessWIRELESSPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
    @DACL=(02 0000)
    @="Folder Redirection"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
    "DllName"=expand:"fdeploy.dll"
    "NoMachinePolicy"=dword:00000001
    "NoSlowLink"=dword:00000001
    "PerUserLocalSettings"=dword:00000001
    "NoGPOListChanges"=dword:00000000
    "NoBackgroundPolicy"=dword:00000000
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "EventSources"=multi:"(Folder Redirection,Application)\00\00"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
    @DACL=(02 0000)
    "Status"=dword:00000000
    "RsopStatus"=dword:00000000
    "LastPolicyTime"=dword:00edd619
    "PrevSlowLink"=dword:00000000
    "PrevRsopLogging"=dword:00000001
    "ForceRefreshFG"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
    @DACL=(02 0000)
    @="Microsoft Disk Quota"
    "NoMachinePolicy"=dword:00000000
    "NoUserPolicy"=dword:00000001
    "NoSlowLink"=dword:00000001
    "NoBackgroundPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "PerUserLocalSettings"=dword:00000000
    "RequiresSuccessfulRegistry"=dword:00000001
    "EnableAsynchronousProcessing"=dword:00000000
    "DllName"=expand:"dskquota.dll"
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
    @DACL=(02 0000)
    @="QoS Packet Scheduler"
    "ProcessGroupPolicy"="ProcessPSCHEDPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
    @DACL=(02 0000)
    @="Scripts"
    "ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
    "ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
    "GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
    "DllName"=expand:"gptext.dll"
    "NoSlowLink"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "NotifyLinkTransition"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
    @DACL=(02 0000)
    @="Internet Explorer Zonemapping"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
    "NoGPOListChanges"=dword:00000001
    "RequiresSucessfulRegistry"=dword:00000001
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
    @DACL=(02 0000)
    @="Internet Explorer User Accelerators"
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "NoGPOListChanges"=dword:00000001
    "ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
    @DACL=(02 0000)
    "ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
    "GenerateGroupPolicy"="SceGenerateGroupPolicy"
    "ExtensionRsopPlanningDebugLevel"=dword:00000001
    "ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
    "ExtensionDebugLevel"=dword:00000001
    "DllName"=expand:"scecli.dll"
    @="Security"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "EnableAsynchronousProcessing"=dword:00000001
    "MaxNoGPOListChangesInterval"=dword:000003c0
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
    @DACL=(02 0000)
    "ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    @="Internet Explorer Branding"
    "NoSlowLink"=dword:00000001
    "NoBackgroundPolicy"=dword:00000000
    "NoGPOListChanges"=dword:00000001
    "NoMachinePolicy"=dword:00000001
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
    @DACL=(02 0000)
    "ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
    "DllName"=expand:"scecli.dll"
    @="EFS recovery"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    "RequiresSuccessfulRegistry"=dword:00000001
    "Status"=dword:00000000
    "RsopStatus"=dword:80070032
    "LastPolicyTime"=dword:00edd619
    "PrevSlowLink"=dword:00000000
    "PrevRsopLogging"=dword:00000001
    "ForceRefreshFG"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
    @DACL=(02 0000)
    @="802.3 Group Policy"
    "DisplayName"=expand:"@dot3gpclnt.dll,-100"
    "ProcessGroupPolicyEx"="ProcessLANPolicyEx"
    "GenerateGroupPolicy"="GenerateLANPolicy"
    "DllName"=expand:"dot3gpclnt.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
    @DACL=(02 0000)
    @="Microsoft Offline Files"
    "DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
    "EnableAsynchronousProcessing"=dword:00000000
    "NoBackgroundPolicy"=dword:00000000
    "NoGPOListChanges"=dword:00000000
    "NoMachinePolicy"=dword:00000000
    "NoSlowLink"=dword:00000000
    "NoUserPolicy"=dword:00000001
    "PerUserLocalSettings"=dword:00000000
    "ProcessGroupPolicy"="ProcessGroupPolicy"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
    @DACL=(02 0000)
    @="Software Installation"
    "DllName"=expand:"appmgmts.dll"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
    "GenerateGroupPolicy"="GenerateGroupPolicy"
    "NoBackgroundPolicy"=dword:00000000
    "RequiresSucessfulRegistry"=dword:00000000
    "NoSlowLink"=dword:00000001
    "PerUserLocalSettings"=dword:00000001
    "EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
    @DACL=(02 0000)
    @="Internet Explorer Machine Accelerators"
    "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
    "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
    "NoGPOListChanges"=dword:00000001
    "ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
    "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
    "RequiresSuccessfulRegistry"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
    @DACL=(02 0000)
    @="IP Security"
    "ProcessGroupPolicy"="ProcessIPSECPolicy"
    "DllName"=expand:"gptext.dll"
    "NoUserPolicy"=dword:00000001
    "NoGPOListChanges"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
    @DACL=(02 0000)
    "DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
    "Logon"="SABWINLOLogon"
    "Logoff"="SABWINLOLogoff"
    "Startup"="SABWINLOStartup"
    "Shutdown"="SABWINLOShutdown"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
    @DACL=(02 0000)
    "DLLName"="Ati2evxx.dll"
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000001
    "Lock"="AtiLockEvent"
    "Logoff"="AtiLogoffEvent"
    "Logon"="AtiLogonEvent"
    "Disconnect"="AtiDisConnectEvent"
    "Reconnect"="AtiReConnectEvent"
    "Safe"=dword:00000000
    "Shutdown"="AtiShutdownEvent"
    "StartScreenSaver"="AtiStartScreenSaverEvent"
    "StartShell"="AtiStartShellEvent"
    "Startup"="AtiStartupEvent"
    "StopScreenSaver"="AtiStopScreenSaverEvent"
    "Unlock"="AtiUnLockEvent"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=expand:"crypt32.dll"
    "Logoff"="ChainWlxLogoffEvent"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "Impersonate"=dword:00000000
    "DllName"=expand:"cryptnet.dll"
    "Logoff"="CryptnetWlxLogoffEvent"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
    @DACL=(02 0000)
    "DLLName"="cscdll.dll"
    "Logon"="WinlogonLogonEvent"
    "Logoff"="WinlogonLogoffEvent"
    "ScreenSaver"="WinlogonScreenSaverEvent"
    "Startup"="WinlogonStartupEvent"
    "Shutdown"="WinlogonShutdownEvent"
    "StartShell"="WinlogonStartShellEvent"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000001
    "DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
    "Startup"="WlDimsStartup"
    "Shutdown"="WlDimsShutdown"
    "Logon"="WlDimsLogon"
    "Logoff"="WlDimsLogoff"
    "StartShell"="WlDimsStartShell"
    "Lock"="WlDimsLock"
    "Unlock"="WlDimsUnlock"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
    @DACL=(02 0000)
    "DLLName"="c:\\program files\\common files\\logishrd\\bluetooth\\LBTWlgn.dll"
    "Asynchronous"=dword:00000000
    "Startup"="OnStartup"
    "Logon"="OnLogon"
    "StartShell"="OnStartShell"
    "Logoff"="OnLogoff"
    "Shutdown"="OnShutdown"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"LMIinit.dll"
    "Impersonate"=dword:00000000
    "Lock"="WLEventLock"
    "Logoff"="WLEventLogoff"
    "Logon"="WLEventLogon"
    "Shutdown"="WLEventShutdown"
    "StartScreenSaver"="WLEventStartScreenSaver"
    "StartShell"="WLEventStartShell"
    "Startup"="WLEventStartup"
    "StopScreenSaver"="WLEventStopScreenSaver"
    "Unlock"="WLEventUnlock"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
    @DACL=(02 0000)
    "DLLName"="wlnotify.dll"
    "Logon"="SCardStartCertProp"
    "Logoff"="SCardStopCertProp"
    "Lock"="SCardSuspendCertProp"
    "Unlock"="SCardResumeCertProp"
    "Enabled"=dword:00000001
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"wlnotify.dll"
    "Impersonate"=dword:00000000
    "StartShell"="SchedStartShell"
    "Logoff"="SchedEventLogOff"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
    @DACL=(02 0000)
    "Logoff"="WLEventLogoff"
    "Impersonate"=dword:00000000
    "Asynchronous"=dword:00000001
    "DllName"=expand:"sclgntfy.dll"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
    @DACL=(02 0000)
    "DLLName"="WlNotify.dll"
    "Lock"="SensLockEvent"
    "Logon"="SensLogonEvent"
    "Logoff"="SensLogoffEvent"
    "Safe"=dword:00000001
    "MaxWait"=dword:00000258
    "StartScreenSaver"="SensStartScreenSaverEvent"
    "StopScreenSaver"="SensStopScreenSaverEvent"
    "Startup"="SensStartupEvent"
    "Shutdown"="SensShutdownEvent"
    "StartShell"="SensStartShellEvent"
    "PostShell"="SensPostShellEvent"
    "Disconnect"="SensDisconnectEvent"
    "Reconnect"="SensReconnectEvent"
    "Unlock"="SensUnlockEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
    @DACL=(02 0000)
    "Asynchronous"=dword:00000000
    "DllName"=expand:"wlnotify.dll"
    "Impersonate"=dword:00000000
    "Logoff"="TSEventLogoff"
    "Logon"="TSEventLogon"
    "PostShell"="TSEventPostShell"
    "Shutdown"="TSEventShutdown"
    "StartShell"="TSEventStartShell"
    "Startup"="TSEventStartup"
    "MaxWait"=dword:00000258
    "Reconnect"="TSEventReconnect"
    "Disconnect"="TSEventDisconnect"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
    @DACL=(02 0000)
    "Logon"="WLEventLogon"
    "Logoff"="WLEventLogoff"
    "Startup"="WLEventStartup"
    "Shutdown"="WLEventShutdown"
    "StartScreenSaver"="WLEventStartScreenSaver"
    "StopScreenSaver"="WLEventStopScreenSaver"
    "Lock"="WLEventLock"
    "Unlock"="WLEventUnlock"
    "StartShell"="WLEventStartShell"
    "PostShell"="WLEventPostShell"
    "Disconnect"="WLEventDisconnect"
    "Reconnect"="WLEventReconnect"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000000
    "SafeMode"=dword:00000001
    "MaxWait"=dword:ffffffff
    "DllName"=expand:"WgaLogon.dll"
    "Event"=dword:00000000
    "InstallEvent"="1.9.0040.0"
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
    @DACL=(02 0000)
    "DLLName"="wlnotify.dll"
    "Logon"="RegisterTicketExpiredNotificationEvent"
    "Logoff"="UnregisterTicketExpiredNotificationEvent"
    "Impersonate"=dword:00000001
    "Asynchronous"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
    @DACL=(02 0000)
    "HelpAssistant"=dword:00000000
    "TsInternetUser"=dword:00000000
    "SQLAgentCmdExec"=dword:00000000
    "NetShowServices"=dword:00000000
    "IWAM_"=dword:00010000
    "IUSR_"=dword:00010000
    "VUSR_"=dword:00010000
    "LogMeInRemoteUser"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1988)
    c:\windows\system32\LMIRfsClientNP.dll
    c:\windows\system32\l3codeca.acm
    .
    Completion time: 2012-04-03 16:36:13
    ComboFix-quarantined-files.txt 2012-04-03 23:36
    .
    Pre-Run: 283,015,110,656 bytes free
    Post-Run: 283,411,382,272 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
    .
    - - End Of File - - 112E0F0B8A32EC6E9E76C60CA4A5E568

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •