Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93085 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

HijackThis - Please Help Diagnose My Logfile

Started by th4u , Mar 18 2007 04:51 AM

  • This topic is locked This topic is locked
39 replies to this topic

#1 th4u

th4u

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 18 March 2007 - 04:51 AM

Logfile of HijackThis v1.99.1
Scan saved at 5:36:59 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\tcpsvcs.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
D:\Program Files\AnalogX\CookieWall\cookie.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Comodo\Firewall\CPF.exe
D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\Nero\Nero 7\InCD\InCD.exe
D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe
D:\Program Files\tinySpell\tinyspell.exe
D:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\DeeP125\CoodClip\CoodClip.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
D:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
D:\Program Files\Clipboard Magic\ClipboardMagic.exe
D:\Program Files\KO Approach\Approach.exe
C:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Maxthon\Maxthon.exe
D:\Program Files\Giganology\Gigaget\Gigaget.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\mikewill\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.th4u.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BitPump] "D:\Program Files\AnalogX\BitPump\bitpump.exe" /VerifySettings
O4 - HKLM\..\Run: [Gigaget] "D:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CookieWall] D:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Advanced WindowsCare V2 Pro] "D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [InCD] D:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [muBlinder] C:\Documents and Settings\mikewill\My Documents\Unzipped\muBlinder\muBlinder.exe -startup
O4 - HKCU\..\Run: [TBC Pro] "D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe"
O4 - HKCU\..\Run: [tinySpell] D:\Program Files\tinySpell\tinyspell.exe
O4 - HKCU\..\Run: [Rainlendar2] D:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Clipboard Magic.lnk = D:\Program Files\Clipboard Magic\ClipboardMagic.exe
O4 - Startup: KO Approach.lnk = D:\Program Files\KO Approach\Approach.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: CoodClip.lnk = D:\Program Files\DeeP125\CoodClip\CoodClip.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WordWeb.lnk = D:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: &Download All by Gigaget - D:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - D:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Open with BitPump - D:\Program Files\AnalogX\BitPump\ieint.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.th4u.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {20B845BF-450F-4C1E-AF60-3CC380CDE328} -
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.5.0_07) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1490BC0F-C45F-459D-AB26-760E1C0D2FD1}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

    Advertisements

Register to Remove

#2 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 18 March 2007 - 01:48 PM

Why are you running this software? O4 - HKLM\..\Run: [muBlinder] C:\Documents and Settings\mikewill\My Documents\Unzipped\muBlinder\muBlinder.exe -startup

#3 th4u

th4u

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 18 March 2007 - 02:01 PM

I reinstalled windows on new hdd.

#4 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 18 March 2007 - 02:06 PM

So why are you running a program that allows you to illegally bypass windows genuine advantage?

#5 th4u

th4u

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 18 March 2007 - 02:51 PM

Is it illegal to use this program?

#6 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 18 March 2007 - 03:45 PM

Yes

#7 th4u

th4u

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 20 March 2007 - 02:22 AM

We may argue on the issues of legality, but hopefully, you would agree with me that it isn't logical to pay twice for the same program, especcially when you forced to reinstall it due to a hardware failure.
I have made a small research and found the following tread: http://forums.tomcoy...mp;hl=mublinder
where you helped the guy in similar situation. I hope, you will help me as well.

Actually, I already run the FixWareout and here is the report.txt:

Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE"
"BitPump"="\"D:\\Program Files\\AnalogX\\BitPump\\bitpump.exe\" /VerifySettings"
"Gigaget"="\"D:\\Program Files\\Giganology\\Gigaget\\GigagetShell.exe\" /s"
"nTrayFw"="C:\\PROGRA~1\\NVIDIA~1\\NETWOR~1\\bin\\nTrayFw.exe"
"UnlockerAssistant"="\"D:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"CookieWall"="D:\\Program Files\\AnalogX\\CookieWall\\cookie.exe"
"nwiz"="nwiz.exe /install"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"AVP"="\"D:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\""
"SpywareTerminator"="\"D:\\Program Files\\Spyware Terminator\\SpywareTerminatorShield.exe\""
"Advanced WindowsCare V2 Pro"="\"D:\\Program Files\\IObit\\Advanced WindowsCare V2 Pro\\Awc.exe\" /startup"
"DiskeeperSystray"="\"D:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"COMODO Firewall Pro"="\"D:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"TrueImageMonitor.exe"="D:\\Program Files\\Acronis\\TrueImageHome\\TrueImageMonitor.exe"
"AcronisTimounterMonitor"="D:\\Program Files\\Acronis\\TrueImageHome\\TimounterMonitor.exe"
"Acronis Scheduler2 Service"="\"C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe\""
"InCD"="D:\\Program Files\\Nero\\Nero 7\\InCD\\InCD.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"!AVG Anti-Spyware"="\"D:\\Program Files\\GRISOFT\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"muBlinder"="C:\\Documents and Settings\\mikewill\\My Documents\\Unzipped\\muBlinder\\muBlinder.exe -startup"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBC Pro"="\"D:\\Program Files\\TitleBarClock Pro(new)\\Tbcpro.exe\""
"tinySpell"="D:\\Program Files\\tinySpell\\tinyspell.exe"
"Rainlendar2"="D:\\Program Files\\Rainlendar2\\Rainlendar2.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"Spyware Doctor"="\"D:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="D:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


#8 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 20 March 2007 - 10:34 AM

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-85AA-FD60BB9AAE22} - (no file)
O16 - DPF: {20B845BF-450F-4C1E-AF60-3CC380CDE328} -
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -

Then close all windows except HijackThis and click Fix Checked

Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the Kaspersky log and a new HijackThis log

Also let me know if you installed winpcap

#9 th4u

th4u

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 20 March 2007 - 01:37 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:29:25 AM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
D:\Program Files\Unlocker\UnlockerAssistant.exe
D:\Program Files\AnalogX\CookieWall\cookie.exe
C:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe
D:\Program Files\Comodo\Firewall\CPF.exe
D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe
D:\Program Files\tinySpell\tinyspell.exe
D:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\Program Files\DeeP125\CoodClip\CoodClip.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
D:\Program Files\WordWeb\wweb32.exe
D:\Program Files\Spyware Terminator\sp_rsser.exe
D:\Program Files\Clipboard Magic\ClipboardMagic.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\Program Files\KO Approach\Approach.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
D:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\Giganology\Gigaget\Gigaget.exe
D:\Program Files\HijackThis\HijackThis.exe
D:\Program Files\Virtual Magnifying Glass\Magnifying Glass.exe
D:\Program Files\Maxthon\Maxthon.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Win32Pad\win32pad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.th4u.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BitPump] "D:\Program Files\AnalogX\BitPump\bitpump.exe" /VerifySettings
O4 - HKLM\..\Run: [Gigaget] "D:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [CookieWall] D:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Advanced WindowsCare V2 Pro] "D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [muBlinder] C:\Documents and Settings\mikewill\My Documents\Unzipped\muBlinder\muBlinder.exe -startup
O4 - HKCU\..\Run: [TBC Pro] "D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe"
O4 - HKCU\..\Run: [tinySpell] D:\Program Files\tinySpell\tinyspell.exe
O4 - HKCU\..\Run: [Rainlendar2] D:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Magnifying Glass] "D:\Program Files\Virtual Magnifying Glass\Magnifying Glass.exe"
O4 - Startup: Clipboard Magic.lnk = D:\Program Files\Clipboard Magic\ClipboardMagic.exe
O4 - Startup: KO Approach.lnk = D:\Program Files\KO Approach\Approach.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: CoodClip.lnk = D:\Program Files\DeeP125\CoodClip\CoodClip.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: WordWeb.lnk = D:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: &Download All by Gigaget - D:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - D:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Open with BitPump - D:\Program Files\AnalogX\BitPump\ieint.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.th4u.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.5.0_07) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{1490BC0F-C45F-459D-AB26-760E1C0D2FD1}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - D:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 21, 2007 2:25:33 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 20/03/2007
Kaspersky Anti-Virus database records: 283674
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 145263
Number of viruses found: 3
Number of infected objects: 23 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:49:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP6\Report\0ed8_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP6\Report\0ed9_Mail_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP6\Report\0eda_pdm_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP6\Report\0eda_pdm_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP6\Report\0edc_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP6\Report\eventlog Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Windows Defender\Support\MPLog-11162006-002144.log Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\AntiPhishing\07FB382D-AA75-4683-82F4-EAB265A275CB.dat Object is locked skipped
C:\Documents and Settings\mikewill\.rainlendar2\rainlendar2.log Object is locked skipped
C:\Documents and Settings\mikewill\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Application Data\Identities\{EAB2E5D6-C5CA-4C71-9024-C66575743262}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Application Data\Identities\{EAB2E5D6-C5CA-4C71-9024-C66575743262}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{94D48E63-56E3-47C9-B232-36F0990FC0E1} Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\History\History.IE5\MSHist012007032020070321\index.dat Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Temp\googlewebaccclient.exe.log Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Temp\GoogleWebAccelerator.pac Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Temp\GoogleWebAcceleratorCache Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Temp\GoogleWebAccWarden.exe.log Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Temp\hsperfdata_mikewill\3332 Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Temp\Perflib_Perfdata_4f0.dat Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Temp\Perflib_Perfdata_d04.dat Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Temp\~DF3765.tmp Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Temp\~DF3BF4.tmp Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Temp\~DF3D38.tmp Object is locked skipped
C:\Documents and Settings\mikewill\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mikewill\My Documents\Unzipped\superfast\setup.exe/data0001 Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
C:\Documents and Settings\mikewill\My Documents\Unzipped\superfast\setup.exe Inno: infected - 1 skipped
C:\Documents and Settings\mikewill\ntuser.dat Object is locked skipped
C:\Documents and Settings\mikewill\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{07AE1D5F-E0B9-4499-886A-7F1B927854DC}\RP791\A0162486.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{07AE1D5F-E0B9-4499-886A-7F1B927854DC}\RP791\A0162486.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{07AE1D5F-E0B9-4499-886A-7F1B927854DC}\RP806\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\cch~32ab5424d3d.htp Object is locked skipped
C:\WINDOWS\Temp\cch~32ab55bfba6.htp Object is locked skipped
C:\WINDOWS\Temp\cch~32bd947d9b8.htp Object is locked skipped
C:\WINDOWS\Temp\cch~32bd9639ac8.htp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_3d0.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Downloads\kf151.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Downloads\kf151.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Downloads\kf151.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Downloads\kf151.zip ZIP: infected - 3 skipped
D:\Downloads\Nero 7 Premium Reloaded 7.7.5.1 (full) + Portable Nero 7.5.9.0\Nero-7.7.5.1_eng\Nero-7.7.5.1_eng.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
D:\Downloads\Nero 7 Premium Reloaded 7.7.5.1 (full) + Portable Nero 7.5.9.0\Nero-7.7.5.1_eng\Nero-7.7.5.1_eng.exe RAR: infected - 1 skipped
D:\Downloads\superfast.zip/setup.exe/data0001 Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
D:\Downloads\superfast.zip/setup.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
D:\Downloads\superfast.zip ZIP: infected - 2 skipped
D:\My Data\Unzipped\superfast\setup.exe/data0001 Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
D:\My Data\Unzipped\superfast\setup.exe Inno: infected - 1 skipped
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-03-20.23-35-54.log Object is locked skipped
D:\Program Files\Giganology\Gigaget\gigaget.log Object is locked skipped
D:\Program Files\Giganology\Gigaget\Update.log Object is locked skipped
D:\Program Files\Super Fast Shutdown\shutdown.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
D:\Program Files\tinySpell\custom.dct Object is locked skipped
D:\Program Files\tinySpell\tstemp.dct Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{07AE1D5F-E0B9-4499-886A-7F1B927854DC}\RP806\change.log Object is locked skipped
D:\Unzipped\ViewKeyXP\kf151\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Unzipped\ViewKeyXP\kf151\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Unzipped\ViewKeyXP\kf151\keyfinder.exe RarSFX: infected - 2 skipped
E:\Default Backup by GENIE\New Backup Job.gbp/MF/D/Program Files/Super Fast Shutdown/shutdown.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
E:\Default Backup by GENIE\New Backup Job.gbp/MP/MyDoc/Unzipped/superfast/setup.exe/data0001 Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
E:\Default Backup by GENIE\New Backup Job.gbp/MP/MyDoc/Unzipped/superfast/setup.exe Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
E:\Default Backup by GENIE\New Backup Job.gbp ZIP: infected - 3 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\Diskeeper\IfaastMon.dat Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
--

Re: winpcap
I have installed winpcap. Although, after "Magic Speed" wiped out many of my programs, I'm not sure, if it's still functional. There are only two files in "C:\Program Files\WinPcap" folder: rpcapd.exe (Remote Packet Capture Daemon CACE Technologies) and Uninstall.exe (WinPcap 4.0 installer CACE Technologies). If I go to: START > All Programs > WinPcal (folder) > there are only an "Uninstall WinPcap 4.0" link, and a link to the "WinPcap Web Site".

Should I uninstall or reinstall it?
--

#10 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 20 March 2007 - 01:55 PM

You can try reinstalling winpcap
  • Download GMER by GMER from here
  • Unzip it to a folder on your desktop
  • Double click on gmer.exe to launch GMER
  • If asked, allow the gmer.sys driver load
  • If it warns you about rootkit activity and asks if you want to run scan, click OK
  • If you don't get a warning then
    • Click the rootkit tab
    • Click Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerrk.txt
  • Click on the >>> tab
  • This will open up the rest of the tabs for you
  • Click on the Autostart tab
  • Click on Scan
  • Once the scan has finished, click copy
  • Paste the log into notepad using Ctrl+V
  • Save it to your desktop as gmerautos.txt
  • Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic
  • Download WinPFind by OldTimer here
  • Double click on winpfind.exe to extract it
  • Click extract
  • Wait for the message "All files have been extracted" and then click OK
  • This will create the folder winPFind on your desktop
  • Inside that folder is a file called WinPFind.exe
  • Double click on that file to launch WinPFind
  • This will launch a configuration screen
    • Under Driver Services change the selection to Non-Microsoft
    • Under File Created Within change the selection to 60 days
    • Leave the other settings as they are
  • Click Run Scan
  • During the scan WinPFind may appear to be not responding, this is normal
  • Wait for the scan to finish, this may take several minutes
  • A notepad window will open with WinPFind's log.
  • Copy and paste the contents of that window here.
  • Note: You may need several posts to post the entire log, or it might get cut off
Post back with the winpfind log, the GMER logs and a new HijackThis log

    Advertisements

Register to Remove

#11 th4u

th4u

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 20 March 2007 - 02:36 PM

gmerautos.txt

GMER 1.0.12.12086 - http://www.gmer.net
Autostart scan 2007-03-21 03:22:14
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon@DLLName = C:\WINDOWS\system32\klogon.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AcrSch2Svc /*Acronis Scheduler2 Service*/@ = "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe"
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
AVP /*Kaspersky Anti-Virus 6.0*/@ = "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r
CmdAgent /*Comodo Application Agent*/@ = D:\Program Files\Comodo\Firewall\cmdagent.exe
Diskeeper /*Diskeeper*/@ = "D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe"
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
InCDsrv /*InCD Helper*/@ = D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\system32\nvsvc32.exe
prfldsvc /*Private Folder Service*/@ = D:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
ProtexisLicensing /*ProtexisLicensing*/@ = C:\WINDOWS\system32\PSIService.exe
SDhelper /*PC Tools Spyware Doctor*/@ = D:\Program Files\Spyware Doctor\sdhelp.exe
SimpTcp /*Simple TCP/IP Services*/@ = %SystemRoot%\system32\tcpsvcs.exe
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
sp_rssrv /*Spyware Terminator Realtime Shield Service*/@ = D:\Program Files\Spyware Terminator\sp_rsser.exe
StarWindService /*StarWind iSCSI Service*/@ = D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
UPHClean /*User Profile Hive Cleanup*/@ = D:\Program Files\UPHClean\uphclean.exe
WinDefend /*Windows Defender*/@ = "C:\Program Files\Windows Defender\MsMpEng.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@BitPump"D:\Program Files\AnalogX\BitPump\bitpump.exe" /VerifySettings = "D:\Program Files\AnalogX\BitPump\bitpump.exe" /VerifySettings
@Gigaget"D:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s = "D:\Program Files\Giganology\Gigaget\GigagetShell.exe" /s
@nTrayFwC:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe = C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
@UnlockerAssistant"D:\Program Files\Unlocker\UnlockerAssistant.exe" = "D:\Program Files\Unlocker\UnlockerAssistant.exe"
@CookieWallD:\Program Files\AnalogX\CookieWall\cookie.exe = D:\Program Files\AnalogX\CookieWall\cookie.exe
@nwiznwiz.exe /install = nwiz.exe /install
@Windows Defender"C:\Program Files\Windows Defender\MSASCui.exe" -hide = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
@AVP"D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" = "D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
@SpywareTerminator"D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" = "D:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
@Advanced WindowsCare V2 Pro"D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup = "D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup
@NeroFilterCheckC:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe = C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
@NvMediaCenterRUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit = RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
@COMODO Firewall Pro"D:\Program Files\Comodo\Firewall\CPF.exe" /background = "D:\Program Files\Comodo\Firewall\CPF.exe" /background
@TrueImageMonitor.exeD:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe = D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
@AcronisTimounterMonitorD:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe = D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
@Acronis Scheduler2 Service"C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" = "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
@!AVG Anti-Spyware"D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@muBlinderC:\Documents and Settings\mikewill\My Documents\Unzipped\muBlinder\muBlinder.exe -startup /*file not found*/ = C:\Documents and Settings\mikewill\My Documents\Unzipped\muBlinder\muBlinder.exe -startup /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@TBC Pro"D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe" = "D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe"
@tinySpellD:\Program Files\tinySpell\tinyspell.exe = D:\Program Files\tinySpell\tinyspell.exe
@Rainlendar2D:\Program Files\Rainlendar2\Rainlendar2.exe = D:\Program Files\Rainlendar2\Rainlendar2.exe
@swgC:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe = C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
@Spyware Doctor"D:\Program Files\Spyware Doctor\swdoctor.exe" /Q = "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
@RoboForm"C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" = "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
@BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" = "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@SpybotSD TeaTimerD:\Program Files\Spybot - Search & Destroy\TeaTimer.exe = D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
@Magnifying Glass"D:\Program Files\Virtual Magnifying Glass\Magnifying Glass.exe" = "D:\Program Files\Virtual Magnifying Glass\Magnifying Glass.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>>
@WPDShServiceObjC:\WINDOWS\system32\WPDShServiceObj.dll = C:\WINDOWS\system32\WPDShServiceObj.dll
@UPnPMonitorC:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}C:\PROGRA~1\WIFD1F~1\MpShHook.dll = C:\PROGRA~1\WIFD1F~1\MpShHook.dll
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll = D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/D:\PROGRA~1\WINZIP\WZSHLSTB.DLL = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/D:\PROGRA~1\WINZIP\WZSHLSTB.DLL = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/D:\PROGRA~1\WINZIP\WZSHLSTB.DLL = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/D:\PROGRA~1\WINZIP\WZSHLSTB.DLL = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/D:\Program Files\WinRAR\rarext.dll = D:\Program Files\WinRAR\rarext.dll
@{2B3453E4-49DF-11D3-8229-0080BE509050} /*GMail Drive*/C:\WINDOWS\system32\ShellExt\GMailFS.dll = C:\WINDOWS\system32\ShellExt\GMailFS.dll
@{2B3453E4-49DF-11D3-8229-0080BE509052} /*GMailFS Property Sheet*/C:\WINDOWS\system32\ShellExt\GMailFS.dll = C:\WINDOWS\system32\ShellExt\GMailFS.dll
@{2B3453E4-49DF-11D3-8229-0080BE509054} /*GMailFS Drop Handler*/C:\WINDOWS\system32\ShellExt\GMailFS.dll = C:\WINDOWS\system32\ShellExt\GMailFS.dll
@{2B3453E4-49DF-11D3-8229-0080BE509056} /*GMailFS Context Menu*/C:\WINDOWS\system32\ShellExt\GMailFS.dll = C:\WINDOWS\system32\ShellExt\GMailFS.dll
@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} /*UnlockerShellExtension*/D:\Program Files\Unlocker\UnlockerCOM.dll = D:\Program Files\Unlocker\UnlockerCOM.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{85E0B171-04FA-11D1-B7DA-00A0C90348D6} /*Web Anti-Virus statistics*/D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll = D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
@{BD88A479-9623-4897-8546-BC62B9628F44} /*SPTHandler*/D:\Program Files\Spyware Terminator\sptcontmenu.dll = D:\Program Files\Spyware Terminator\sptcontmenu.dll
@{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Universal Plug and Play Devices*/C:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll
@{C539A15A-3AF9-4c92-B771-50CB78F5C751} /*Acronis True Image Shell Context Menu Extension*/D:\Program Files\Acronis\TrueImageHome\tishell.dll = D:\Program Files\Acronis\TrueImageHome\tishell.dll
@{C539A15B-3AF9-4c92-B771-50CB78F5C751} /*Acronis True Image Shell Extension*/D:\Program Files\Acronis\TrueImageHome\tishell.dll = D:\Program Files\Acronis\TrueImageHome\tishell.dll
@{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} /*NeroCoverEd Live Icons*/D:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll = D:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll
@{226b64e8-dc75-4eea-a6c8-abcb4d1d37ff} /*Dave's Quick Search Deskbar*/(null) =
@{EC9FE983-E520-4D8F-B1A7-ACBCA0439C70} /*Dave's Quick Search Deskbar*/C:\Program Files\Quick Search Deskbar\DQSDHost.dll = C:\Program Files\Quick Search Deskbar\DQSDHost.dll
@{A02DEEEB-DD87-4a4f-8F2E-B633A59BA18A} /*Private Folder Copyhook Extention*/D:\Program Files\Microsoft Private Folder 1.0\ShellExt.dll = D:\Program Files\Microsoft Private Folder 1.0\ShellExt.dll
@{3B153CB3-A551-4fe6-A68B-F5C96650FF39} /*Private Folder Copyhook Extention*/D:\Program Files\Microsoft Private Folder 1.0\ShellExt.dll = D:\Program Files\Microsoft Private Folder 1.0\ShellExt.dll
@{78237F62-8EC8-438C-83B0-1DECB4303076} /*Private Folder FSFolder Extention*/D:\Program Files\Microsoft Private Folder 1.0\ShellExt.dll = D:\Program Files\Microsoft Private Folder 1.0\ShellExt.dll
@{B0FAF2DA-13EA-41CA-A62F-850DC01D1C01} /*Private Folder Shortcut Extention*/D:\Program Files\Microsoft Private Folder 1.0\ShellExt.dll = D:\Program Files\Microsoft Private Folder 1.0\ShellExt.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
Cover Designer@{73FCA462-9BD5-4065-A73F-A8E5F6904EF7} = D:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll
InCDShellExt@{CAE3251E-9B15-4810-B268-852AD9792A59} = D:\Program Files\Nero\Nero 7\InCD\InCDshx.dll
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll
SPTContMenu@{BD88A479-9623-4897-8546-BC62B9628F44} = D:\Program Files\Spyware Terminator\sptcontmenu.dll
UltraEdit-32@{b5eedee0-c06e-11cf-8c56-444553540000} = D:\Program Files\IDM Computer Solutions\UltraEdit-32\ue32ctmn.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers >>>
@{C539A15A-3AF9-4c92-B771-50CB78F5C751}D:\Program Files\Acronis\TrueImageHome\tishell.dll = D:\Program Files\Acronis\TrueImageHome\tishell.dll
@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}D:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll = D:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AgentRansackHere@{6646F704-1528-4B5C-BAB7-176FA4B5F80A}} =
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
InCDShellExt@{CAE3251E-9B15-4810-B268-852AD9792A59} = D:\Program Files\Nero\Nero 7\InCD\InCDshx.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
InCDShellExt@{CAE3251E-9B15-4810-B268-852AD9792A59} = D:\Program Files\Nero\Nero 7\InCD\InCDshx.dll
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll
SPTContMenu@{BD88A479-9623-4897-8546-BC62B9628F44} = D:\Program Files\Spyware Terminator\sptcontmenu.dll
UnlockerShellExtension@{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} = D:\Program Files\Unlocker\UnlockerCOM.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers >>>
@{C539A15A-3AF9-4c92-B771-50CB78F5C751}D:\Program Files\Acronis\TrueImageHome\tishell.dll = D:\Program Files\Acronis\TrueImageHome\tishell.dll
@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}D:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll = D:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{111CAA23-6F4F-42AC-8555-B48C1D87BBAB}C:\WINDOWS\system32\gigagetbho_v10.dll = C:\WINDOWS\system32\gigagetbho_v10.dll
@{53707962-6F74-2D53-2644-206D7942484F}D:\PROGRA~1\SPYBOT~1\SDHelper.dll = D:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}D:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll = D:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
@{69A87B7D-DE56-4136-9655-716BA50C19C7}C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll = C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
@{724d43a9-0d85-11d4-9908-00400523e39a}C:\Program Files\Siber Systems\AI RoboForm\roboform.dll = C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}D:\Program Files\Java\jre1.6.0\bin\ssv.dll = D:\Program Files\Java\jre1.6.0\bin\ssv.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\program files\google\googletoolbar2.dll = c:\program files\google\googletoolbar2.dll
@{B56A7D7D-6927-48C8-A975-17DF180C71AC}D:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll = D:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Local PageC:\WINDOWS\SYSTEM32\blank.htm = C:\WINDOWS\SYSTEM32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.th4u.com/ = http://www.th4u.com/
@Local PageC:\WINDOWS\SYSTEM32\blank.htm = C:\WINDOWS\SYSTEM32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
skype4com@CLSID = C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>
000000000005@LibraryPath = C:\WINDOWS\system32\pnrpnsp.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006@LibraryPath = C:\WINDOWS\system32\pnrpnsp.dll

C:\Documents and Settings\mikewill\Start Menu\Programs\Startup >>>
Clipboard Magic.lnk = Clipboard Magic.lnk
KO Approach.lnk = KO Approach.lnk
Wallpaper Changer.lnk = Wallpaper Changer.lnk

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup >>>
CoodClip.lnk = CoodClip.lnk
Run Google Web Accelerator.lnk = Run Google Web Accelerator.lnk
WordWeb.lnk = WordWeb.lnk

---- EOF - GMER 1.0.12 ----


#12 th4u

th4u

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 20 March 2007 - 02:45 PM

gmerrk.txt part 1
[quote]GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-21 03:19:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwClose
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwConnectPort
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateFile
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreatePort
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteFile
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwFlushKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwInitializeRegistry
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwLoadDriver
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey2
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwNotifyChangeKey
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenKey
SSDT \??\D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryMultipleValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSaveKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetSecurityObject
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwShutdownSystem
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwWriteFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFileGather
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296]

Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAE80 5 Bytes JMP AB360F00 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF808 5 Bytes JMP AB361400 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntkrnlpa.exe!KiDispatchInterrupt + 102 80544D02 5 Bytes [ F6, E1, 2A, 90, 90 ]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B8C1E62C 5 Bytes JMP 8A3511B8
? C:\WINDOWS\TEMP\mc22.tmp The system cannot find the file specified.
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified.

---- User code sections - GMER 1.0.12 ----

.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] user32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] user32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\spoolsv.exe[444] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[444] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[444] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\spoolsv.exe[444] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[444] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[444] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\spoolsv.exe[444] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[444] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\explorer.exe[576] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\explorer.exe[576] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F0E0F5A
.text C:\WINDOWS\explorer.exe[576] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\explorer.exe[576] SHELL32.dll!StrStrW + FFE34A26 7C9CF908 4 Bytes [ E0, 0B, 8D, 77 ]
.text C:\WINDOWS\explorer.exe[576] SHELL32.dll!SHFileOperationW 7CA6FD0A 5 Bytes JMP 10001102 D:\Program Files\Unlocker\UnlockerHook.dll
.text C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe[768] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F0E0F5A
.text C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe[768] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe[768] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F08001E
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0B001E
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F05001E
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1B001E
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F17001E
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F11001E
.text C:\WINDOWS\system32\ctfmon.exe[908] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[908] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[908] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[908] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\ctfmon.exe[908] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\SOUNDMAN.EXE[916] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SOUNDMAN.EXE[916] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SOUNDMAN.EXE[916] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\SOUNDMAN.EXE[916] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\SOUNDMAN.EXE[916] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\SOUNDMAN.EXE[916] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\SOUNDMAN.EXE[916] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\SOUNDMAN.EXE[916] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\csrss.exe[1124] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[1124] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1124] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\csrss.exe[1124] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\csrss.exe[1124] KERNEL32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[1124] KERNEL32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[1124] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\csrss.exe[1124] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\winlogon.exe[1156] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1156] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[1156] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\winlogon.exe[1156] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\winlogon.exe[1156] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\services.exe[1200] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[1200] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[1200] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\services.exe[1200] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\services.exe[1200] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\lsass.exe[1212] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[1212] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\lsass.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\lsass.exe[1212] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[1212] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[1212] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\lsass.exe[1212] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\lsass.exe[1212] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] user32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] user32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Spyware Doctor\swdoctor.exe[1264] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Spyware Doctor\swdoctor.exe[1264] user32.dll!DispatchMessageA 77D496B8 6 Bytes JMP 5F040F5A
.text D:\Program Files\Spyware Doctor\swdoctor.exe[1264] user32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F140F5A
.text D:\Program Files\Spyware Doctor\swdoctor.exe[1264] user32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F100F5A
.text D:\Program Files\Spyware Doctor\swdoctor.exe[1264] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1376] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[1436] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1436] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1436] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\svchost.exe[1436] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1436] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1576] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 12, 5F ]
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 05, 5F ]
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F08001E
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0F001E
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F0B001E
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1F001E
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F1B001E
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F15001E
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1692] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] user32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] user32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\tinySpell\tinyspell.exe[1788] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\tinySpell\tinyspell.exe[1788] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\tinySpell\tinyspell.exe[1788] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\tinySpell\tinyspell.exe[1788] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\tinySpell\tinyspell.exe[1788] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\tinySpell\tinyspell.exe[1788] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\tinySpell\tinyspell.exe[1788] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\tinySpell\tinyspell.exe[1788] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1796] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1796] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1796] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\svchost.exe[1796] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1796] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[2024] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F0E0F5A
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[2024] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[2024] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F040F5A
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe[2188] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe[2188] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe[2188] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe[2188] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe[2188] kernel32.dll!C

#13 th4u

th4u

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 20 March 2007 - 02:46 PM

gmerrk.txt part 2
[quote]---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 8A78C1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 8A78C1D8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CREATE 8A350758
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CLOSE 8A350758
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 8A350758
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A350758
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_POWER 8A350758
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 8A350758
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_PNP 8A350758
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 8A71A1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 8A71A1D8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_CREATE 8A3391D8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_CLOSE 8A3391D8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 8A3391D8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A3391D8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_POWER 8A3391D8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 8A3391D8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_PNP 8A3391D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 8A78F1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 8A35B980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 8A35B980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 8A35B980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 8A35B980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 8A35B980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 8A35B980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A35B980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 8A35B980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 8A35B980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 8A35B980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 8A35B980
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_READ 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_WRITE 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FLUSH_BUFFERS 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SHUTDOWN 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLEANUP 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_POWER 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SYSTEM_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_PNP 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_READ 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_WRITE 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_FLUSH_BUFFERS 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_DEVICE_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SHUTDOWN 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CLEANUP 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_POWER 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SYSTEM_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_PNP 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_CREATE 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_READ 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_WRITE 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_FLUSH_BUFFERS 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_DEVICE_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_SHUTDOWN 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_CLEANUP 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_POWER 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_SYSTEM_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_PNP 8A78F1D8
Device \Driver\nvata \Device\00000082 IRP_MJ_CREATE 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_CREATE_NAMED_PIPE 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_CLOSE 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_READ 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_WRITE 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_QUERY_INFORMATION 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_SET_INFORMATION 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_QUERY_EA 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_SET_EA 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_FLUSH_BUFFERS 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_QUERY_VOLUME_INFORMATION 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_SET_VOLUME_INFORMATION 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_DIRECTORY_CONTROL 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_FILE_SYSTEM_CONTROL 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_DEVICE_CONTROL 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_SHUTDOWN 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_LOCK_CONTROL 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_CLEANUP 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_CREATE_MAILSLOT 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_QUERY_SECURITY 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_SET_SECURITY 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_POWER 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_SYSTEM_CONTROL 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_DEVICE_CHANGE 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_QUERY_QUOTA 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_SET_QUOTA 8A7191D8
Device \Driver\nvata \Device\00000082 IRP_MJ_PNP 8A7191D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 894161D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 894161D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 894161D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 894161D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 894161D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 894161D8
Device \Driver\nvata \Device\00000084 IRP_MJ_CREATE 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_CREATE_NAMED_PIPE 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_CLOSE 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_READ 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_WRITE 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_QUERY_INFORMATION 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_SET_INFORMATION 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_QUERY_EA 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_SET_EA 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_FLUSH_BUFFERS 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_QUERY_VOLUME_INFORMATION 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_SET_VOLUME_INFORMATION 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_DIRECTORY_CONTROL 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_FILE_SYSTEM_CONTROL 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_DEVICE_CONTROL 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_SHUTDOWN 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_LOCK_CONTROL 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_CLEANUP 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_CREATE_MAILSLOT 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_QUERY_SECURITY 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_SET_SECURITY 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_POWER 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_SYSTEM_CONTROL 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_DEVICE_CHANGE 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_QUERY_QUOTA 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_SET_QUOTA 8A7191D8
Device \Driver\nvata \Device\00000084 IRP_MJ_PNP 8A7191D8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 894161D8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 894161D8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 894161D8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 894161D8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 894161D8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 894161D8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CREATE 8A350758
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CLOSE 8A350758
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 8A350758
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A350758
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_POWER 8A350758
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 8A350758
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_PNP 8A350758
Device \Driver\NetBT \Device\NetBT_Tcpip_{1490BC0F-C45F-459D-AB26-760E1C0D2FD1} IRP_MJ_CREATE 894161D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{1490BC0F-C45F-459D-AB26-760E1C0D2FD1} IRP_MJ_CLOSE 894161D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{1490BC0F-C45F-459D-AB26-760E1C0D2FD1} IRP_MJ_DEVICE_CONTROL 894161D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{1490BC0F-C45F-459D-AB26-760E1C0D2FD1} IRP_MJ_INTERNAL_DEVICE_CONTROL 894161D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{1490BC0F-C45F-459D-AB26-760E1C0D2FD1} IRP_MJ_CLEANUP 894161D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{1490BC0F-C45F-459D-AB26-760E1C0D2FD1} IRP_MJ_PNP 894161D8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_CREATE 8A3391D8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_CLOSE 8A3391D8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 8A3391D8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A3391D8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_POWER 8A3391D8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 8A3391D8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_PNP 8A3391D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CREATE 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CREATE_NAMED_PIPE 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CLOSE 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_READ 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_WRITE 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_INFORMATION 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_INFORMATION 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_EA 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_EA 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_FLUSH_BUFFERS 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_VOLUME_INFORMATION 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_VOLUME_INFORMATION 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_DIRECTORY_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_FILE_SYSTEM_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_DEVICE_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SHUTDOWN 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_LOCK_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CLEANUP 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CREATE_MAILSLOT 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_SECURITY 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_SECURITY 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_POWER 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SYSTEM_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_DEVICE_CHANGE 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_QUOTA 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_QUOTA 8A7191D8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_PNP 8A7191D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 8936D1D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CREATE 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CREATE_NAMED_PIPE 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CLOSE 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_READ 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_WRITE 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_INFORMATION 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_INFORMATION 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_EA 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_EA 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_FLUSH_BUFFERS 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_VOLUME_INFORMATION 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_VOLUME_INFORMATION 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_DIRECTORY_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_FILE_SYSTEM_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_DEVICE_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SHUTDOWN 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_LOCK_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CLEANUP 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CREATE_MAILSLOT 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_SECURITY 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_SECURITY 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_POWER 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SYSTEM_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_DEVICE_CHANGE 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_QUOTA 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_QUOTA 8A7191D8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_PNP 8A7191D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 8936D1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 8936D1D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CREATE 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CREATE_NAMED_PIPE 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CLOSE 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_READ 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_WRITE 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_INFORMATION 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_INFORMATION 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_EA 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_EA 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_FLUSH_BUFFERS 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_VOLUME_INFORMATION 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_VOLUME_INFORMATION 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_DIRECTORY_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_FILE_SYSTEM_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_DEVICE_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SHUTDOWN 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_LOCK_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CLEANUP 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CREATE_MAILSLOT 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_SECURITY 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_SECURITY 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_POWER 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SYSTEM_CONTROL 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_DEVICE_CHANGE 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_QUOTA 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_QUOTA 8A7191D8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_PNP 8A7191D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 8A78F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 8A78F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 8A78F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 8A78F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 8A78F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 8A78F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 8A78F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 8A78F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 8A78F1D8
Device \Driver\imagedrv \Device\Scsi\imagedrv1 IRP_MJ_CREATE 8A78D1D8
Device \Driver\imagedrv \Device\Scsi\imagedrv1 IRP_MJ_CLOSE 8A78D1D8
Device \Driver\imagedrv \Device\Scsi\imagedrv1 IRP_MJ_DEVICE_CONTROL 8A78D1D8
Device \Driver\imagedrv \Device\Scsi\imagedrv

#14 th4u

th4u

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 20 March 2007 - 02:53 PM

There was some problem - I'm posting gmerrk.txt part 1 once more...
[quote]GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-21 03:19:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwClose
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwConnectPort
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateFile
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreatePort
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteFile
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwFlushKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwInitializeRegistry
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwLoadDriver
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey2
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwNotifyChangeKey
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenKey
SSDT \??\D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryMultipleValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSaveKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetSecurityObject
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwShutdownSystem
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwWriteFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFileGather
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296]

Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAE80 5 Bytes JMP AB360F00 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF808 5 Bytes JMP AB361400 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntkrnlpa.exe!KiDispatchInterrupt + 102 80544D02 5 Bytes [ F6, E1, 2A, 90, 90 ]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B8C1E62C 5 Bytes JMP 8A3511B8
? C:\WINDOWS\TEMP\mc22.tmp The system cannot find the file specified.
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified.

---- User code sections - GMER 1.0.12 ----

.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] user32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] user32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe[404] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\spoolsv.exe[444] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[444] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[444] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\spoolsv.exe[444] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[444] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[444] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\spoolsv.exe[444] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[444] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\explorer.exe[576] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\explorer.exe[576] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F0E0F5A
.text C:\WINDOWS\explorer.exe[576] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\explorer.exe[576] SHELL32.dll!StrStrW + FFE34A26 7C9CF908 4 Bytes [ E0, 0B, 8D, 77 ]
.text C:\WINDOWS\explorer.exe[576] SHELL32.dll!SHFileOperationW 7CA6FD0A 5 Bytes JMP 10001102 D:\Program Files\Unlocker\UnlockerHook.dll
.text C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe[768] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F0E0F5A
.text C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe[768] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Google\Web Accelerator\GoogleWebAccClient.exe[768] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[780] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F08001E
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0B001E
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F05001E
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1B001E
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F17001E
.text D:\Program Files\Comodo\Firewall\cmdagent.exe[892] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F11001E
.text C:\WINDOWS\system32\ctfmon.exe[908] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[908] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[908] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[908] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[908] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\ctfmon.exe[908] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\SOUNDMAN.EXE[916] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SOUNDMAN.EXE[916] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SOUNDMAN.EXE[916] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\SOUNDMAN.EXE[916] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\SOUNDMAN.EXE[916] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\SOUNDMAN.EXE[916] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\SOUNDMAN.EXE[916] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\SOUNDMAN.EXE[916] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[976] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\Unlocker\UnlockerAssistant.exe[1032] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\AnalogX\CookieWall\cookie.exe[1084] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\Program Files\Windows Defender\MSASCui.exe[1100] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\csrss.exe[1124] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[1124] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1124] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\csrss.exe[1124] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\csrss.exe[1124] KERNEL32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[1124] KERNEL32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[1124] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\csrss.exe[1124] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\winlogon.exe[1156] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1156] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[1156] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[1156] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\winlogon.exe[1156] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\winlogon.exe[1156] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\services.exe[1200] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[1200] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[1200] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[1200] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\services.exe[1200] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\services.exe[1200] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\lsass.exe[1212] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[1212] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\lsass.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\lsass.exe[1212] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[1212] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[1212] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\lsass.exe[1212] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\lsass.exe[1212] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] user32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] user32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe[1236] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Spyware Doctor\swdoctor.exe[1264] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Spyware Doctor\swdoctor.exe[1264] user32.dll!DispatchMessageA 77D496B8 6 Bytes JMP 5F040F5A
.text D:\Program Files\Spyware Doctor\swdoctor.exe[1264] user32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F140F5A
.text D:\Program Files\Spyware Doctor\swdoctor.exe[1264] user32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F100F5A
.text D:\Program Files\Spyware Doctor\swdoctor.exe[1264] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1376] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1376] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[1436] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1436] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1436] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\svchost.exe[1436] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1436] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Windows Defender\MsMpEng.exe[1536] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\svchost.exe[1576] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1576] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 12, 5F ]
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 05, 5F ]
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F08001E
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0F001E
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F0B001E
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1F001E
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F1B001E
.text D:\Program Files\Comodo\Firewall\cpf.exe[1640] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F15001E
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe[1660] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1692] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe[1704] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe[1712] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe[1748] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] user32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] user32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\TitleBarClock Pro(new)\Tbcpro.exe[1768] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\tinySpell\tinyspell.exe[1788] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\tinySpell\tinyspell.exe[1788] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\tinySpell\tinyspell.exe[1788] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\tinySpell\tinyspell.exe[1788] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\tinySpell\tinyspell.exe[1788] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\tinySpell\tinyspell.exe[1788] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\tinySpell\tinyspell.exe[1788] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\tinySpell\tinyspell.exe[1788] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1796] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1796] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1796] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\WINDOWS\system32\svchost.exe[1796] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\svchost.exe[1796] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\Rainlendar2\Rainlendar2.exe[1848] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe[1872] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[2024] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F0E0F5A
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[2024] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[2024] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F040F5A
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] USER32.dll!SetWindowsHookExW 77D5E4AF 6 Bytes JMP 5F1A0F5A
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] USER32.dll!SetWindowsHookExA 77D611E9 6 Bytes JMP 5F160F5A
.text D:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[2076] GDI32.dll!Escape 77F26926 6 Bytes JMP 5F100F5A
.text C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe[2188] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe[2188] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe[2188] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe[2188] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Siber Systems\AI Robo

#15 th4u

th4u

    Authentic Member

  • Authentic Member
  • PipPip
  • 29 posts

Posted 20 March 2007 - 03:00 PM

That was not correct again. I should divide gmerrk.txt into tthree parts:
Part 1

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-21 03:19:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwClose
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwConnectPort
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateFile
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreatePort
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwCreateSection
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteFile
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwFlushKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwInitializeRegistry
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwLoadDriver
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey2
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwNotifyChangeKey
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenKey
SSDT \??\D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryMultipleValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryValueKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSaveKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationKey
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetSecurityObject
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwShutdownSystem
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey
SSDT \??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys ZwWriteFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFileGather
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295]
SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296]

Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAE80 5 Bytes JMP AB360F00 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF808 5 Bytes JMP AB361400 \??\C:\WINDOWS\system32\drivers\klif.sys
.text ntkrnlpa.exe!KiDispatchInterrupt + 102 80544D02 5 Bytes [ F6, E1, 2A, 90, 90 ]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B8C1E62C 5 Bytes JMP 8A3511B8
? C:\WINDOWS\TEMP\mc22.tmp The system cannot find the file specified.
? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified.

---- User code sections - GMER 1.0.12 ----


Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·