google redirect, taskbar changes appearance + usb internet connection down etc.

[Jintan]

I received the upload, thanks. It did contain an mdll.dl file you mentioned earlier. Only contained what is likely encrypted code, so surely suspect, but no info we can use here. The Reglooks log shows a few items we need to address, which may aid the ComboFix run issue. And some AVG remnants, which also can be a factor. But we still need to get a decent swap-out of the files you got replacements for.


Click here and download sUBs' SvcQuery.exe to your desktop, then click that file to open that tool. A window will open. When prompted to provide a service name, type in the following, then press Enter:

lvdgwgcb

Repeat that, using the following:

xpkihsl

Then follow the prompt to exit. The tool will create a log - post that back here please.

--------------------

Code:

REGEDIT4

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AMService"=-

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AMService"=-

Open Notepad (Start - Run, type Notepad then press OK), and copy the text inside the box above and paste it into the open Notepad textbox.

Save this to your desktop as "fixer.reg"

Be sure to include the "" quotes in the name.

Then right click fixer.reg, select Merge, and allow it to merge the new information with the Registry.

------------------

Go here and download and run the AVG uninstaller.

-------------------

Code:

@ECHO OFF
cd c:\windows
ren lastgood lastgood-old >nul 2>&1
ren lastgood.temp lastgood-old2 >nul 2>&1
md C:\windows\lastgood\system32\drivers
copy C:\Documents and Settings\Administrator\Desktop\LostWinFiles\sfcfiles.dll C:\windows\lastgood\system32\drivers\sfcfiles.dll
copy C:\Documents and Settings\Administrator\Desktop\LostWinFiles\wscntfy.exe C:\windows\lastgood\system32\drivers\wscntfy.exe
copy C:\Documents and Settings\Administrator\Desktop\LostWinFiles\msgsvc.dll C:\windows\lastgood\system32\drivers\msgsvc.dll

Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text (inside the Code box) into the open text box, then save this to your desktop as "changer.bat"

Be sure to include the "" quotes in the name. Then click on changer.bat. A window should open briefly but nothing more.

-------------------

Then restart the computer, and as it boots up tap the F8 key about once per half-second, to access the startup menu (where you can make Safe Mode selections). From that menu select the following:

Last Known Good Configuration

That should load a saved copy of the Registry, but also do the file swap we need.

------------------

Go to Start - Run, copy paste the following, then click the OK button:

"%userprofile%\desktop\combofix.exe" /killall

Then follow the previous steps and allow ComboFix to complete it's processes. Post the C:\ComboFix.txt log here please.

[anderle]

SvcQuery:

I may have made a mistake, I run it twice, once for each command, therefore two logs:

1st log:

- - - - - - - - - - - BEFORE - - - - - - - - - - -

netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0 ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\ 0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Netman\ 0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0 Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRServ ice\0Tapisrv\0Themes\0TrkWks\0lvdgwgcb\0W32Time\0WZCSVC\0Wmi \0WmdmPmSp\0winmgmt\0xmlprov\0BITS\0wuauserv\0ShellHWDetecti on\0helpsvc\0WmdmPmSN\0xpkihsl\0\0

- - - - - - - - - - - AFTER - - - - - - - - - - -

netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0 ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\ 0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Netman\ 0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0 Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRServ ice\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp \0winmgmt\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsv c\0WmdmPmSN\0xpkihsl\0\0


2nd log:

- - - - - - - - - - - BEFORE - - - - - - - - - - -

netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0 ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\ 0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Netman\ 0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0 Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRServ ice\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp \0winmgmt\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsv c\0WmdmPmSN\0xpkihsl\0\0

- - - - - - - - - - - AFTER - - - - - - - - - - -

netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0 ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\ 0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Netman\ 0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0 Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRServ ice\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp \0winmgmt\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsv c\0WmdmPmSN\0\0



vvvvvvvvvvvvvv

"fixer.reg" done

vvvvvvvvvvvvv

AVG uninstaller - done

vvvvvvvvvvvv

"changer.bat" - done

vvvvvvvvvvvv

restart with 'last know good configuration' - done

vvvvvvvvvvvv

Combofix run:

1st run: said again I have old version, asked if I wanted to download new, I said 'yes'
new version was downloaded, Combofix said it would restart, it did
than it saved restore points and started scanning
let the scan running over 1 hour, the yellow underscore kept on going, but after that long time I turned off computer

2nd run: started to run immediately ( no prompt to download newest definitions, nor did it save restore points )
let it run good 20 minutes, then turned off the computer

so sorry, again no log for Combofix

note: computer so much more responsive than it used to be before, and now startup is fast again too

[anderle]

I noticed that the two logs of the SvcQuery look identical I thought I must have made a mistake
and decided to make reruns:
running lvdgwgcb again it said it could not find it
running xpkihsl again made the window of the SvcQuery simply disappear, and that was it

[Jintan]

Careful - errors or changes with steps like SvcQuery could make the wrong changes. But the logs you posted reflected the correct changes were made the first time, so that's corrected.

I sense ComboFix may be hitting a permissions block of some kind. Although it really is not the most security correct thing to do, better we mass change permissions instead of second guessing which, if any, locations are the problems. Updating to the next Service Pack may then change things back, or at least most of them.

Disable all security software.

Download subinacl.msi from here to your desktop, then click the file to start the installer.

Accept any agreements, and when it suggests it install SubInACL.exe to it's "C:\Program Files\Windows Resource Kits\Tools\" folder, instead click Browse, and direct it to your C folder, so it will then be C:\SubInACL.exe.

--------------------------

Once you have done that open Notepad (Start - Run, type notepad then press Enter) and copy the following text into a new file:

Code:

cd\
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=everyone=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=everyone=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=everyone=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=everyone=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=everyone=f /grant=system=f

Save the file to the desktop as "permdo.bat"

Make sure to use the quotes "" in the name.

Then double-click on permdo.bat. A window should open and you will see some procedures run, then more run at the top of your display --- this is normal. Once they have completed the changes the window should close.

Try ComboFix again. Decline any offers to download anything if asked, and allow it to run for at least two hours - more if time permits. Often it also has to make changes that take time, with no visible indication activity is occurring.

Post the ComboFix log after please.

[anderle]

did the "permdo.bat" run as explained

note: after fast running entrances lines on top of it's windows appeared explaining that it was 'replacing' ( was the word 'replacing' used? don't remember for sure ) many files but that there were three errors / files not found.
after some time it went back to the fast running entrances, than the few lines on top of it's window again appeared saying that there was no error
but after some time again the running entrances appeared, than that there was one file not found / 1 error, but it kept on running until it shut down by itself

vvvvvvvvvvvv

tried 2 Combofix runs:

1st run: soon, I guess before the propper scan started it said that my 'Recycle Bin' was corrupted, and asked me if I wanted to delete it's contents. I said yes, and the run continued. However I never saw the yellow underscore in Combofixe's window blinking and turned off the computer after about 1 hour

2nd run: it started without any prompt or interruption. Yellow underscore kept on blinking, left it running for 4 hours, than I turned off the computer

[Jintan]

Not sure I have run into that Recycle Bin issue before. SubInACL runs like the one you did do show a few Failures, usually when working in hive security areas (best I recall), so tough to assume anything from what you observed.

Just to ensure file/folder glitches are not involved, click here and download Old Timer's TFC.exe to your desktop. Be sure all programs are closed, then click TFC.exe to open the display. Click the Start button, and allow TFC to clean out all temp storage. If it suggests a reboot allow that. If not, just click Exit to close TFC.


Go here and download RkU3.8.341.552.rar, then unzip that. Locate the RkU3.8.341.552.exe file, then click that to install Rootkit Unhooker. If you need a tool to "unzip" a rar file you can use the free version of 7-zip here.

That Rootkit Unhooker download site isn't a very formal one, but it is what the scan tool author provides.

Then go to Start - (All) Programs - Rootkit Unhooker, and click the Rootkit Unhooker listing there to run the scanner.

Once that opens click the Report tab, then click Scan. Leave all the selections checked, then click OK. Once the scan completes go to File - Save Report, and save that to your desktop.

Post that log back here please.

[anderle]

Old Timer TFC finished including a reboot which was prompted

vvvvvvvvvvv

Unhooker log:

RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.8.341.552
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
==============================================
>Shadow
==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x8A940830

Process: C:\WINDOWS\explorer.exe
Process Id: 316
EPROCESS Address: 0x8A5B7DA0

Process: C:\Program Files\Java\jre6\bin\jqs.exe
Process Id: 636
EPROCESS Address: 0x8952DDA0

Process: C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
Process Id: 692
EPROCESS Address: 0x894EB500

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 972
EPROCESS Address: 0x8A549DA0

Process: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
Process Id: 1020
EPROCESS Address: 0x8A5A5DA0

Process: C:\WINDOWS\system32\smss.exe
Process Id: 1032
EPROCESS Address: 0x8A751798

Process: C:\WINDOWS\system32\csrss.exe
Process Id: 1084
EPROCESS Address: 0x8A83C330

Process: C:\WINDOWS\system32\winlogon.exe
Process Id: 1120
EPROCESS Address: 0x8A726020

Process: C:\WINDOWS\system32\services.exe
Process Id: 1164
EPROCESS Address: 0x8A57FA20

Process: C:\WINDOWS\system32\lsass.exe
Process Id: 1176
EPROCESS Address: 0x8A5F6C08

Process: C:\WINDOWS\system32\ati2evxx.exe
Process Id: 1332
EPROCESS Address: 0x8A583318

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1348
EPROCESS Address: 0x8A580370

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1412
EPROCESS Address: 0x8A548DA0

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1452
EPROCESS Address: 0x8A5D9280

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1580
EPROCESS Address: 0x8A579D78

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1616
EPROCESS Address: 0x8A7E9958

Process: C:\WINDOWS\system32\ati2evxx.exe
Process Id: 1688
EPROCESS Address: 0x8A5DA5F8

Process: C:\WINDOWS\system32\alg.exe
Process Id: 1760
EPROCESS Address: 0x895C3DA0

Process: C:\WINDOWS\system32\spoolsv.exe
Process Id: 1956
EPROCESS Address: 0x8A560890

Process: C:\WINDOWS\system32\notepad.exe
Process Id: 2104
EPROCESS Address: 0x8A580810

Process: C:\WINDOWS\RTHDCPL.EXE
Process Id: 2164
EPROCESS Address: 0x895012B0

Process: C:\WINDOWS\AGRSMMSG.exe
Process Id: 2172
EPROCESS Address: 0x8A7EBDA0

Process: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
Process Id: 2208
EPROCESS Address: 0x8A891BE0

Process: D:\Programs\WinZip\WZQKPICK.EXE
Process Id: 2220
EPROCESS Address: 0x8A5F9C00

Process: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
Process Id: 2336
EPROCESS Address: 0x8A699718

Process: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
Process Id: 2344
EPROCESS Address: 0x8A7DA860

Process: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
Process Id: 2408
EPROCESS Address: 0x8A6C8A20

Process: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
Process Id: 2468
EPROCESS Address: 0x89528A20

Process: C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
Process Id: 2608
EPROCESS Address: 0x8A7DC428

Process: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
Process Id: 2752
EPROCESS Address: 0x894DC600

Process: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
Process Id: 3036
EPROCESS Address: 0x89507A20

Process: C:\WINDOWS\system32\wuauclt.exe
Process Id: 3284
EPROCESS Address: 0x8A651BF8

Process: C:\RkUnhooker\fYy5kPf325N.exe
Process Id: 2064
EPROCESS Address: 0x89567DA0

==============================================
>Drivers
Driver: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Address: 0xAE645000
Size: 4689920 bytes

Driver: C:\WINDOWS\system32\drivers\RtHDMI.sys
Address: 0xAEB0A000
Size: 3526656 bytes

Driver: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBFB2D000
Size: 3133440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xB7F5D000
Size: 2662400 bytes

Driver: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000
Size: 2142208 bytes

Driver: PnpManager
Address: 0x804D7000
Size: 2142208 bytes

Driver: RAW
Address: 0x804D7000
Size: 2142208 bytes

Driver: WMIxWDM
Address: 0x804D7000
Size: 2142208 bytes

Driver: Win32k
Address: 0xBF800000
Size: 1843200 bytes

Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1843200 bytes

Driver: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBFE2A000
Size: 1597440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\athw.sys
Address: 0xB7DA3000
Size: 1576960 bytes

Driver: C:\WINDOWS\system32\DRIVERS\AGRSM.sys
Address: 0xAE529000
Size: 1163264 bytes

Driver: Ntfs.sys
Address: 0xBA636000
Size: 577536 bytes

Driver: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBFA19000
Size: 499712 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xAE2A9000
Size: 454656 bytes

Driver: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBFA93000
Size: 442368 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xAE3D6000
Size: 360448 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
Address: 0xB7CCF000
Size: 335872 bytes

Driver: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xAB7B3000
Size: 335872 bytes

Driver: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFB0000
Size: 286720 bytes

Driver: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF9D4000
Size: 282624 bytes

Driver: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xAB298000
Size: 266240 bytes

Driver: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB6EAF000
Size: 212992 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB7BA3000
Size: 200704 bytes

Driver: ACPI.sys
Address: 0xBA779000
Size: 188416 bytes

Driver: C:\WINDOWS\System32\atiok3x2.dll
Address: 0xBFAFF000
Size: 188416 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xAB855000
Size: 184320 bytes

Driver: NDIS.sys
Address: 0xBA609000
Size: 184320 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xAE318000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xAB106000
Size: 172032 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xAE386000
Size: 163840 bytes

Driver: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xAB763000
Size: 163840 bytes

Driver: dmio.sys
Address: 0xBA723000
Size: 155648 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB7F24000
Size: 151552 bytes

Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xAEAE6000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB7D46000
Size: 143360 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB7D69000
Size: 143360 bytes

Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xAE343000
Size: 139264 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xAE365000
Size: 135168 bytes

Driver: ACPI_HAL
Address: 0x806E2000
Size: 134272 bytes

Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806E2000
Size: 134272 bytes

Driver: fltMgr.sys
Address: 0xBA6EC000
Size: 126976 bytes

Driver: ftdisk.sys
Address: 0xBA749000
Size: 126976 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tosrfbd.sys
Address: 0xAE28D000
Size: 114688 bytes

Driver: Mup.sys
Address: 0xBA5EF000
Size: 106496 bytes

Driver: atapi.sys
Address: 0xBA70B000
Size: 98304 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAE1D7000
Size: 98304 bytes

Driver: KSecDD.sys
Address: 0xBA6C3000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB7CB8000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
Address: 0xB7D8C000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xABB79000
Size: 86016 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
Address: 0xB7D21000
Size: 81920 bytes

Driver: C:\WINDOWS\System32\Drivers\usbvideo.sys
Address: 0xAE279000
Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB7F49000
Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xAE42E000
Size: 77824 bytes

Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C2000
Size: 73728 bytes

Driver: sr.sys
Address: 0xBA6DA000
Size: 73728 bytes

Driver: C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
Address: 0xAE217000
Size: 73728 bytes

Driver: pci.sys
Address: 0xBA768000
Size: 69632 bytes

Driver: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB7BD4000
Size: 69632 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
Address: 0xB7D35000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xBAA78000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xBAAD8000
Size: 65536 bytes

Driver: C:\WINDOWS\System32\Drivers\tosrfcom.sys
Address: 0xBAAF8000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xBAA18000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBA9B8000
Size: 61440 bytes

Driver: ohci1394.sys
Address: 0xBA8B8000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBAAB8000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\risdptsk.sys
Address: 0xBAAE8000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xABCBE000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBA9D8000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xBA8C8000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xBAAA8000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA908000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xBAAC8000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBAB08000
Size: 53248 bytes

Driver: VolSnap.sys
Address: 0xBA8E8000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBA948000
Size: 49152 bytes

Driver: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xBAA98000
Size: 45056 bytes

Driver: MountMgr.sys
Address: 0xBA8D8000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBAB18000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tosporte.sys
Address: 0xBA978000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tosrfusb.sys
Address: 0xBAA48000
Size: 45056 bytes

Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA988000
Size: 40960 bytes

Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBA968000
Size: 40960 bytes

Driver: disk.sys
Address: 0xBA8F8000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBAA28000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xBAA38000
Size: 36864 bytes

Driver: isapnp.sys
Address: 0xBA8A8000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBA958000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBAA08000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\processr.sys
Address: 0xBAA88000
Size: 36864 bytes

Driver: PxHelp20.sys
Address: 0xBA918000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\Drivers\tosrfbnp.sys
Address: 0xBAA58000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xBA9F8000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xBAC10000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBAC40000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xBAC50000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xBAC48000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBAB28000
Size: 28672 bytes

Driver: C:\WINDOWS\System32\Drivers\sybex38.SYS
Address: 0xBAB90000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBABE0000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBABE8000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBABF0000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBAC30000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBAC38000
Size: 20480 bytes

Driver: PartMgr.sys
Address: 0xBAB30000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBAC00000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBAC08000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBABF8000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
Address: 0xBAC58000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xBABD8000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xBAC68000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xBACC0000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xBAD80000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBA5C3000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xABEAE000
Size: 16384 bytes

Driver: ACPIEC.sys
Address: 0xBACC4000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBACB8000
Size: 12288 bytes

Driver: compbatt.sys
Address: 0xBACBC000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xAE265000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xB6E8B000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xB6E87000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBAD90000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xBAD78000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBADD2000
Size: 8192 bytes

Driver: dmload.sys
Address: 0xBADAC000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADE2000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBADD0000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBADA8000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBADD4000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBADC6000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBADCA000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBADAA000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBAE8A000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBAFAB000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBAF28000
Size: 4096 bytes

Driver: C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Address: 0xBAE71000
Size: 4096 bytes

Driver: pciide.sys
Address: 0xBAE70000
Size: 4096 bytes

==============================================
>Stealth
==============================================
>Files
==============================================
>Hooks

ntkrnlpa.exe+0x0006DDDE, Type: Inline - RelativeJump 0x80544DDE [ntkrnlpa.exe]
[2608]Ymsgr_tray.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110BC [yui.dll]
[2608]Ymsgr_tray.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084 [yui.dll]
[2608]Ymsgr_tray.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078 [yui.dll]
[2608]Ymsgr_tray.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110C0 [yui.dll]
[2608]Ymsgr_tray.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040C0E4 [yui.dll]
[2608]Ymsgr_tray.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x0040C0E0 [yui.dll]
[2608]Ymsgr_tray.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x0040C0B0 [yui.dll]
[2608]Ymsgr_tray.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x0040C0B8 [yui.dll]
[2608]Ymsgr_tray.exe-->shell32.dll-->gdi32.dll-->GetStockObject, Type: IAT modification 0x7C9C1134 [yui.dll]
[2608]Ymsgr_tray.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A0 [yui.dll]
[2608]Ymsgr_tray.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13F4 [yui.dll]
[2608]Ymsgr_tray.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C1638 [yui.dll]
[2608]Ymsgr_tray.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C1618 [yui.dll]
[2608]Ymsgr_tray.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C159C [yui.dll]
[2608]Ymsgr_tray.exe-->shell32.dll-->user32.dll-->AnimateWindow, Type: IAT modification 0x7C9C1D14 [yui.dll]
[2608]Ymsgr_tray.exe-->shell32.dll-->user32.dll-->DefWindowProcA, Type: IAT modification 0x7C9C1D44 [yui.dll]
[2608]Ymsgr_tray.exe-->shell32.dll-->user32.dll-->DefWindowProcW, Type: IAT modification 0x7C9C1EA0 [yui.dll]
[2608]Ymsgr_tray.exe-->shell32.dll-->user32.dll-->GetSysColor, Type: IAT modification 0x7C9C1E38 [yui.dll]
[2608]Ymsgr_tray.exe-->shell32.dll-->user32.dll-->GetSysColorBrush, Type: IAT modification 0x7C9C1EE0 [yui.dll]
[2608]Ymsgr_tray.exe-->shell32.dll-->user32.dll-->TrackPopupMenu, Type: IAT modification 0x7C9C1F8C [yui.dll]
[2608]Ymsgr_tray.exe-->shell32.dll-->user32.dll-->TrackPopupMenuEx, Type: IAT modification 0x7C9C1D30 [yui.dll]
[2608]Ymsgr_tray.exe-->user32.dll-->DefWindowProcW, Type: IAT modification 0x0040C268 [yui.dll]
[2608]Ymsgr_tray.exe-->user32.dll-->gdi32.dll-->GetStockObject, Type: IAT modification 0x77D4112C [yui.dll]
[2608]Ymsgr_tray.exe-->user32.dll-->GetSysColor, Type: IAT modification 0x0040C2A4 [yui.dll]
[2608]Ymsgr_tray.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D4133C [yui.dll]
[2608]Ymsgr_tray.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77D412F8 [yui.dll]
[2608]Ymsgr_tray.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77D41208 [yui.dll]
[2608]Ymsgr_tray.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77D41340 [yui.dll]
[2608]Ymsgr_tray.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification 0x0040C29C [yui.dll]
[316]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1610 [shimeng.dll]
[316]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110BC [shimeng.dll]
[316]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268 [shimeng.dll]
[316]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A0 [shimeng.dll]
[316]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D4133C [shimeng.dll]
[316]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x771B1248 [shimeng.dll]
[316]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB115C [shimeng.dll]


note:
inside the unhooker window there is one ore line than on the saved report, the last two lines read as follows:

[316]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB115C [shimeng.dll]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

[Jintan]

That last one is somewhat of interest. It would be a crime for me to pretend I am skilled in the use of "shims", but for an idea of it, a shim can bring hidden other functions to a process, and is also used by malware. RKU even uses those. The concern with the explorer.exe shim is it involving ws2_32.dll, which suggests unseen changes to the Winsock, and so network activities. And then the earlier Gmer log showing debugging functions in explorer.exe, again a means of watching, and making changes, that malware might use. Or entirely innocent. Can't help but sense some piece of AVG still involved though.

Let's set the stage for a different work-around there.

Run the Gmer right-click Non MS files only scan.

In those results, locate this part:

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[268] ntdll.dll!DbgBreakPoint 7C901230 1 Byte [C3]
.text C:\WINDOWS\Explorer.EXE[268] ntdll.dll!DbgUiRemoteBreakin 7C95077B 5 Bytes JMP 7C923DEF C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1440] ntdll.dll!DbgBreakPoint 7C901230 1 Byte [C3]
.text C:\WINDOWS\System32\svchost.exe[1440] ntdll.dll!DbgUiRemoteBreakin 7C95077B 5 Bytes JMP 7C923DEF C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)

If the results are "similar" to those, the item of interest is that "[1440]" number, which will now be a different number. Take note of the new number.

Download and run Process Explorer from here. Click on View and check "Show processes from all users", "show fractional CPU" and "Show unnamed handles".

In the upper panel of that display, locate the svchost.exe process that shows the number you saw in Gmer. Then double-click on that svchost.exe. Click the Services tab, and write down what services are listed there.

Post those back here please. If Gmer no longer shows something similar to the hilighted "svchost.exe[1440]" entries, then instead just let me know here, and instead post the Gmer log showing the new info.

Run Gmer - get svchost.exe number - run Processes Explorer - get services names - post them here.

or

Run Gmer - no svchost.exe number shows (under "User code sections") - just save and post that Gmer log please.

[Jintan]

In fact, regardless of what does occur, go ahead and post the Gmer log either way.

[anderle]

thank you very much for your continuing effort Jintan!

the log of the 'only non MS files' GMER scan:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-12 14:10:44
Windows 5.1.2600 Service Pack 2
Running: l2901tnx.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwldrpog.sys


---- Modules - GMER 1.0.15 ----

Module PxHelp20.sys (Px Engine Device Driver for Windows 2000/XP/Sonic Solutions) BA918000-BA921000 (36864 bytes)
Module \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) B7DA8000-B8032000 (2662400 bytes)
Module \SystemRoot\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0a/Windows (R) Server 2003 DDK provider) B7D6F000-B7D94000 (151552 bytes)
Module \SystemRoot\system32\DRIVERS\athw.sys (Driver for Atheros Wireless Network Adapter/Atheros Communications, Inc.) B7BEE000-B7D6F000 (1576960 bytes)
Module \SystemRoot\system32\DRIVERS\Rtenicxp.sys (Realtek 10/100/1000 NDIS 5.1 Driver /Realtek Semiconductor Corporation ) B7BD7000-B7BEE000 (94208 bytes)
Module \SystemRoot\system32\DRIVERS\risdptsk.sys (RICOH SD Driver/REDC) BAB08000-BAB17000 (61440 bytes)
Module \SystemRoot\system32\DRIVERS\rimmptsk.sys (RICOH SD Driver/REDC) B7B80000-B7B91000 (69632 bytes)
Module \SystemRoot\system32\DRIVERS\rimsptsk.sys (RICOH MS Driver/REDC) B7B6C000-B7B80000 (81920 bytes)
Module \SystemRoot\system32\DRIVERS\rixdptsk.sys (RICOH XD SM Driver/REDC) B7B1A000-B7B6C000 (335872 bytes)
Module \SystemRoot\System32\Drivers\tosrfcom.sys (Bluetooth RFCOMM Driver/TOSHIBA Corporation) BAB18000-BAB28000 (65536 bytes)
Module \SystemRoot\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) BAC08000-BAC0D000 (20480 bytes)
Module \SystemRoot\system32\DRIVERS\tosporte.sys (TOSHIBA Bluetooth Port Emulation Driver/TOSHIBA Corporation) BA998000-BA9A3000 (45056 bytes)
Module \SystemRoot\system32\drivers\RtHDMI.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.) AF615000-AF972000 (3526656 bytes)
Module \SystemRoot\system32\drivers\RtkHDAud.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.) AF150000-AF5C9000 (4689920 bytes)
Module \SystemRoot\system32\DRIVERS\AGRSM.sys (SoftModem Device Driver/Agere Systems) AF034000-AF150000 (1163264 bytes)
Module \SystemRoot\system32\DRIVERS\tosrfusb.sys (Bluetooth USB Miniport Driver/TOSHIBA CORPORATION) BAA88000-BAA93000 (45056 bytes)
Module \SystemRoot\system32\DRIVERS\tosrfbd.sys (Bluetooth RF Bus Driver/TOSHIBA CORPORATION) AE0D8000-AE0F4000 (114688 bytes)
Module \SystemRoot\system32\DRIVERS\Tosrfhid.sys (Bluetooth HID Driver from TOSHIBA/TOSHIBA Corporation.) AE062000-AE074000 (73728 bytes)
Module \SystemRoot\System32\Drivers\tosrfbnp.sys (Bluetooth RFBNEP Driver/TOSHIBA Corporation) BAA98000-BAAA1000 (36864 bytes)
Module \SystemRoot\system32\DRIVERS\tosrfnds.sys (Bluetooth BNEP Driver/TOSHIBA Corporation.) BAC70000-BAC75000 (20480 bytes)
Module \SystemRoot\System32\ati2dvag.dll (ATI Radeon WindowsNT Display Driver/ATI Technologies Inc.) BF9D4000-BFA19000 (282624 bytes)
Module \SystemRoot\System32\ati2cqag.dll (Central Memory Manager / Queue Server Module/ATI Technologies Inc.) BFA19000-BFA93000 (499712 bytes)
Module \SystemRoot\System32\atikvmag.dll (Virtual Command And Memory Manager/ATI Technologies Inc.) BFA93000-BFAFF000 (442368 bytes)
Module \SystemRoot\System32\atiok3x2.dll (Ring 0 x2 component/ATI Technologies Inc.) BFAFF000-BFB2D000 (188416 bytes)
Module \SystemRoot\System32\ati3duag.dll (ati3duag.dll/ATI Technologies Inc. ) BFB2D000-BFE2A000 (3133440 bytes)
Module \SystemRoot\System32\ativvaxx.dll (Radeon Video Acceleration Universal Driver/ATI Technologies Inc. ) BFE2A000-BFFB0000 (1597440 bytes)
Module \SystemRoot\System32\ATMFD.DLL (Windows NT OpenType/Type 1 Font Driver/Adobe Systems Incorporated) BFFB0000-BFFF6000 (286720 bytes)
Module \SystemRoot\system32\DRIVERS\secdrv.sys (Macrovision SECURITY Driver/Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) AB5AE000-AB5D6000 (163840 bytes)
Module \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwldrpog.sys (GMER) AAEC5000-AAEDD000 (98304 bytes)

---- Processes - GMER 1.0.15 ----

Process C:\WINDOWS\Explorer.EXE (Windows Explorer/Microsoft Corporation) 344
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll (Malwarebytes' Anti-Malware/Malwarebytes Corporation) 0x10000000
Library C:\WINDOWS\system32\ShellExt\OpenExpert.dll 0x02390000
Library D:\PROGRAMS\WINZIP\WZSHLSTB.DLL (WinZip Shell Extension DLL/WinZip Computing, Inc.) 0x16200000
Library C:\Program Files\WinRAR\rarext.dll 0x02D60000
Library C:\Program Files\Unlocker\UnlockerCOM.dll 0x02D90000
Library C:\WINDOWS\system32\TosBtShell.dll (TosBtShell/TOSHIBA) 0x02DC0000
Library C:\WINDOWS\system32\ShellExt\PathCo32.dll (Ninotech Path Copy Shell Extension/Ninotech) 0x02EA0000
Library C:\WINDOWS\system32\ShellExt\DateEd32.dll (Ninotech Date Edit Shell Extension/Ninotech) 0x02EE0000
Library C:\WINDOWS\system32\ShellExt\ContextMenuExt.dll 0x02F20000
Library C:\WINDOWS\system32\ShellExt\ContextAttrib.dll (Edit file attributes from the context menu/Grigri) 0x02F40000
Library C:\Program Files\Attribute Changer\acshell.dll (Attribute Changer Shell Extension/Romain Petges) 0x03060000
Library C:\Program Files\Attribute Changer\AcLang.dll (English Language DLL/Romain Petges) 0x03080000
Library C:\WINDOWS\system32\ShellExt\MERunPrg.dll (Run Program Shell Extension/Synesis Software (Pty) Ltd) 0x56530000

Process C:\WINDOWS\System32\alg.exe (Application Layer Gateway Service/Microsoft Corporation) 600
Library C:\WINDOWS\System32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\NOTEPAD.EXE (Notepad/Microsoft Corporation) 884
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.) 984
Library C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\O2Micro Oz128 Driver\o2flash.exe (O2 Flash Memory Service/O2Micro International) 1060
Library C:\Program Files\O2Micro Oz128 Driver\o2flash.exe (O2 Flash Memory Service/O2Micro International) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\csrss.exe (Client Server Runtime Process/Microsoft Corporation) 1092
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\winlogon.exe (Windows NT Logon Application/Microsoft Corporation) 1140
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\WINDOWS\system32\Ati2evxx.dll (ATI External Event Utility DLL Module/ATI Technologies Inc.) 0x10000000

Process C:\WINDOWS\system32\services.exe (Services and Controller app/Microsoft Corporation) 1184
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\lsass.exe (LSA Shell (Export Version)/Microsoft Corporation) 1196
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\Ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) 1340
Library C:\WINDOWS\system32\Ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\WINDOWS\system32\Ati2edxx.dll (ati2edxx/ATI Technologies, Inc.) 0x00D60000
Library C:\WINDOWS\system32\atipdlxx.dll (ATI Desktop CWDDEDI DLL/ATI Technologies, Inc.) 0x10000000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1356
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1420
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1460
Library C:\WINDOWS\System32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1596
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\AGRSMMSG.exe (SoftModem Messaging Applet/Agere Systems) 1608
Library C:\WINDOWS\AGRSMMSG.exe (SoftModem Messaging Applet/Agere Systems) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1624
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TosBtMng/TOSHIBA CORPORATION.) 1720
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TosBtMng/TOSHIBA CORPORATION.) 0x00400000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosCpsAPI.dll (TosCpsAPI/TOSHIBA CORPORATION.) 0x10000000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMngHelp.dll (TosBtMngHelp/TOSHIBA CORPORATION.) 0x00340000
Library C:\WINDOWS\system32\TosAvAPI.dll (TosAvAPI/TOSHIBA CORPORATION.) 0x00380000
Library C:\WINDOWS\system32\TosBtSDDB.dll (TosBtSDDB/TOSHIBA CORPORATION.) 0x00390000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMngLang.dll (TosBtMngLang/TOSHIBA CORPORATION.) 0x003C0000
Library C:\WINDOWS\system32\TosBdAPI.dll (TosBdAPI/TOSHIBA CORPORATION.) 0x003D0000
Library C:\WINDOWS\system32\TosCommAPI.dll 0x00730000
Library C:\WINDOWS\system32\TosLaneAPI.dll (TosLaneApi/TOSHIBA CORPORATION.) 0x00750000
Library C:\WINDOWS\system32\TosBtAPI.dll (TosBtAPI/TOSHIBA CORPORATION.) 0x00770000
Library C:\WINDOWS\system32\LCWizard.dll (Bluetooth Local COM Setup Wizard/TOSHIBA CORPORATION) 0x007E0000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\BtUsrMod.dll (BtUsrMod DLL/TOSHIBA CORPORATION) 0x00870000
Library C:\WINDOWS\system32\TosHidAPI.dll (TosHidAPI/TOSHIBA CORPORATION.) 0x008B0000
Library C:\WINDOWS\system32\TosGnsAPI.dll (TosGnsAPI/TOSHIBA CORPORATION.) 0x008D0000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\OemBtAcpiAPI.dll (TOSHIBA CORPORATION.) 0x01070000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtLoad.dll (TosBtLoad/TOSHIBA) 0x011F0000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtAfh.dll 0x01830000

Process D:\Programs\WinZip\WZQKPICK.EXE (WinZip Executable/WinZip Computing, Inc.) 1724
Library D:\Programs\WinZip\WZQKPICK.EXE (WinZip Executable/WinZip Computing, Inc.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1732
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\RTHDCPL.EXE (Realtek HD Audio Control Panel/Realtek Semiconductor Corp.) 1748
Library C:\WINDOWS\RTHDCPL.EXE (Realtek HD Audio Control Panel/Realtek Semiconductor Corp.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\Ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) 1776
Library C:\WINDOWS\system32\Ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\WINDOWS\system32\Ati2edxx.dll (ati2edxx/ATI Technologies, Inc.) 0x00FB0000
Library C:\WINDOWS\system32\atipdlxx.dll (ATI Desktop CWDDEDI DLL/ATI Technologies, Inc.) 0x10000000
Library C:\WINDOWS\system32\ati2evxx.dll (ATI External Event Utility DLL Module/ATI Technologies Inc.) 0x00FE0000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (TOSHIBA Bluetooth Service/TOSHIBA CORPORATION) 1820
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (TOSHIBA Bluetooth Service/TOSHIBA CORPORATION) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\WINDOWS\system32\spoolsv.exe (Spooler SubSystem App/Microsoft Corporation) 1964
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\WINDOWS\system32\mdimon.dll (Microsoft® Document Imaging/Microsoft Corporation) 0x00A90000
Library C:\WINDOWS\system32\tbtmon.dll (TOSHIBA CORPORATION.) 0x10000000
Library C:\WINDOWS\system32\TosBtHcrpAPI.dll (TOSHIBA CORPORATION.) 0x00AA0000
Library C:\WINDOWS\system32\TosBtAPI.dll (TosBtAPI/TOSHIBA CORPORATION.) 0x00E50000
Library C:\WINDOWS\system32\TosBdAPI.dll (TosBdAPI/TOSHIBA CORPORATION.) 0x00EC0000
Library C:\WINDOWS\system32\tbtmon98Language.dll (TOSHIBA CORPORATION.) 0x00EE0000
Library C:\WINDOWS\System32\spool\PRTPROCS\W32X86\mdippr.dll (Microsoft® Document Imaging/Microsoft Corporation) 0x00F80000
Library C:\WINDOWS\System32\spool\PRTPROCS\W32X86\filterpipelineprin tproc.dll (Print Filter Pipeline Proxy/Microsoft Corporation) 0x00F90000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe (TosA2dp/TOSHIBA CORPORATION.) 2148
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe (TosA2dp/TOSHIBA CORPORATION.) 0x00400000
Library C:\WINDOWS\system32\TosBtECCAPI.dll (TosBtECCAPI/TOSHIBA CORPORATION.) 0x10000000
Library C:\WINDOWS\system32\TosBtAPI.dll (TosBtAPI/TOSHIBA CORPORATION.) 0x00340000
Library C:\WINDOWS\system32\TosBdAPI.dll (TosBdAPI/TOSHIBA CORPORATION.) 0x003B0000
Library C:\WINDOWS\system32\TosAvdtAPI.dll (TosAvdtAPI/TOSHIBA CORPORATION.) 0x004C0000
Library C:\WINDOWS\system32\TosSndAPI.dll (TosSndAPI/TOSHIBA CORPORATION.) 0x003D0000
Library C:\WINDOWS\system32\TosSndPlug.dll (TosSndPlug/TOSHIBA CORPORATION.) 0x00550000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe (TOSHIBA CORPORATION.) 2160
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe (TOSHIBA CORPORATION.) 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe (TosBtHSP/TOSHIBA CORPORATION.) 2184
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe (TosBtHSP/TOSHIBA CORPORATION.) 0x00400000
Library C:\WINDOWS\system32\TosBtECCAPI.dll (TosBtECCAPI/TOSHIBA CORPORATION.) 0x10000000
Library C:\WINDOWS\system32\TosBtAPI.dll (TosBtAPI/TOSHIBA CORPORATION.) 0x00330000
Library C:\WINDOWS\system32\TosBdAPI.dll (TosBdAPI/TOSHIBA CORPORATION.) 0x003A0000
Library C:\WINDOWS\system32\LCWizard.dll (Bluetooth Local COM Setup Wizard/TOSHIBA CORPORATION) 0x004C0000
Library C:\WINDOWS\system32\TosSndAPI.dll (TosSndAPI/TOSHIBA CORPORATION.) 0x003C0000
Library C:\WINDOWS\system32\TosSndPlug.dll (TosSndPlug/TOSHIBA CORPORATION.) 0x00550000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe (TosAVRC/TOSHIBA CORPORATION.) 2236
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe (TosAVRC/TOSHIBA CORPORATION.) 0x00400000
Library C:\WINDOWS\system32\TosAvctAPI.dll (TosAvctAPI/TOSHIBA CORPORATION.) 0x10000000
Library C:\WINDOWS\system32\TosBtAPI.dll (TosBtAPI/TOSHIBA CORPORATION.) 0x00340000
Library C:\WINDOWS\system32\TosBdAPI.dll (TosBdAPI/TOSHIBA CORPORATION.) 0x003B0000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe (Yahoo! Messenger Tray/Yahoo! Inc.) 2416
Library C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe (Yahoo! Messenger Tray/Yahoo! Inc.) 0x00400000
Library C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll 0x61480000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000
Library C:\PROGRA~1\Yahoo!\MESSEN~1\resources\en-US\res_msgr.dll (Resource Module/Yahoo! Inc.) 0x65000000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe (tosOBEX/TOSHIBA CORPORATION.) 2644
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe (tosOBEX/TOSHIBA CORPORATION.) 0x00400000
Library C:\WINDOWS\system32\TosBtAPI.dll (TosBtAPI/TOSHIBA CORPORATION.) 0x10000000
Library C:\WINDOWS\system32\TosBdAPI.dll (TosBdAPI/TOSHIBA CORPORATION.) 0x00330000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosNtfs.dll (SPANworks 2000/TOSHIBA Corporation) 0x00350000
Library C:\WINDOWS\system32\LCWizard.dll (Bluetooth Local COM Setup Wizard/TOSHIBA CORPORATION) 0x00360000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe (TosBtProc/TOSHIBA CORPORATION.) 2968
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe (TosBtProc/TOSHIBA CORPORATION.) 0x00400000
Library C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.dll (tosOBEX/TOSHIBA corporation) 0x10000000
Library C:\WINDOWS\system32\TosBtAPI.dll (TosBtAPI/TOSHIBA CORPORATION.) 0x00340000
Library C:\WINDOWS\system32\TosBdAPI.dll (TosBdAPI/TOSHIBA CORPORATION.) 0x003B0000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

Process C:\Documents and Settings\Administrator\Desktop\l2901tnx.exe 3672
Library C:\Documents and Settings\Administrator\Desktop\l2901tnx.exe 0x00400000
Library C:\WINDOWS\system32\USP10.dll (Uniscribe Unicode script processor/Microsoft Corporation) 0x74D90000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\DRIVERS\AGRSM.sys (SoftModem Device Driver/Agere Systems) [MANUAL] AgereSoftModem
Service C:\WINDOWS\system32\DRIVERS\athw.sys (Driver for Atheros Wireless Network Adapter/Atheros Communications, Inc.) [MANUAL] AR5416
Service C:\WINDOWS\system32\Ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) [AUTO] Ati HotKey Poller
Service C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) [MANUAL] ati2mtag
Service Atierecord
Service C:\combofix\catchme.sys [MANUAL] catchme
Service C:\WINDOWS\system32\cisvc.exe [MANUAL] CiSvc
Service C:\Program Files\Google\Update\GoogleUpdate.exe (Google Installer/Google Inc.) [AUTO] gupdate
Service C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (High Definition Audio Bus Driver v1.0a/Windows (R) Server 2003 DDK provider) [MANUAL] HDAudBus
Service C:\WINDOWS\system32\DRIVERS\HPZid412.sys (IEEE-1284.4-1999 Driver (Windows 2000)/HP) [MANUAL] HPZid412
Service C:\WINDOWS\system32\DRIVERS\HPZipr12.sys (IEEE-1284.4-1999 Print Class Driver/HP) [MANUAL] HPZipr12
Service C:\WINDOWS\system32\DRIVERS\HPZius12.sys (1284.4<->Usb Datalink Driver (Windows 2000)/HP) [MANUAL] HPZius12
Service C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys (USB Modem/Serial Device Driver/Huawei Technologies Co., Ltd.) [MANUAL] hwdatacard
Service C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.) [MANUAL] IntcAzAudAddService
Service C:\Program Files\Java\jre6\bin\jqs.exe (Java(TM) Quick Starter Service/Sun Microsystems, Inc.) [AUTO] JavaQuickStarterService
Service MSDTC Bridge 3.0.0.0
Service C:\Program Files\O2Micro Oz128 Driver\o2flash.exe (O2 Flash Memory Service/O2Micro International) [AUTO] o2flash
Service C:\combofix\PEV.cfxxe [AUTO] PEVSystemStart
Service C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies DirectParallel IO Library/Parallel Technologies, Inc.) [MANUAL] Ptilink
Service C:\WINDOWS\System32\Drivers\PxHelp20.sys (Px Engine Device Driver for Windows 2000/XP/Sonic Solutions) [BOOT] PxHelp20
Service C:\WINDOWS\system32\DRIVERS\rimmptsk.sys (RICOH SD Driver/REDC) [AUTO] rimmptsk
Service C:\WINDOWS\system32\DRIVERS\rimsptsk.sys (RICOH MS Driver/REDC) [AUTO] rimsptsk
Service C:\WINDOWS\system32\DRIVERS\risdptsk.sys (RICOH SD Driver/REDC) [MANUAL] risdptsk
Service C:\WINDOWS\system32\DRIVERS\rixdptsk.sys (RICOH XD SM Driver/REDC) [AUTO] rismxdp
Service C:\WINDOWS\system32\drivers\RtHDMI.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.) [MANUAL] RTHDMIAzAudService
Service C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys (Realtek 10/100/1000 NDIS 5.1 Driver /Realtek Semiconductor Corporation ) [MANUAL] RTLE8023xp
Service C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision SECURITY Driver/Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [AUTO] Secdrv
Service ServiceModelEndpoint 3.0.0.0
Service ServiceModelOperation 3.0.0.0
Service ServiceModelService 3.0.0.0
Service C:\WINDOWS\system32\DRIVERS\sffp_sd.sys (Small Form Factor SD Protocol Driver/Microsoft Corporation) [MANUAL] sffp_sd
Service SMSvcHost 3.0.0.0
Service C:\WINDOWS\system32\DRIVERS\StreamIP.sys (Microsoft IP Test Driver/Microsoft Corporation) [MANUAL] streamip
Service C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (TOSHIBA Bluetooth Service/TOSHIBA CORPORATION) [AUTO] TOSHIBA Bluetooth Service
Service C:\WINDOWS\system32\DRIVERS\tosporte.sys (TOSHIBA Bluetooth Port Emulation Driver/TOSHIBA Corporation) [MANUAL] tosporte
Service C:\WINDOWS\system32\DRIVERS\tosrfbd.sys (Bluetooth RF Bus Driver/TOSHIBA CORPORATION) [MANUAL] tosrfbd
Service C:\WINDOWS\System32\Drivers\tosrfbnp.sys (Bluetooth RFBNEP Driver/TOSHIBA Corporation) [MANUAL] tosrfbnp
Service C:\WINDOWS\System32\Drivers\tosrfcom.sys (Bluetooth RFCOMM Driver/TOSHIBA Corporation) [SYSTEM] Tosrfcom
Service C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys (Bluetooth HID Driver from TOSHIBA/TOSHIBA Corporation.) [MANUAL] Tosrfhid
Service C:\WINDOWS\system32\DRIVERS\tosrfnds.sys (Bluetooth BNEP Driver/TOSHIBA Corporation.) [MANUAL] tosrfnds
Service C:\WINDOWS\system32\drivers\tosrfsnd.sys (Bluetooth Audio Driver (WDM)/TOSHIBA Corporation) [MANUAL] TosRfSnd
Service C:\WINDOWS\system32\DRIVERS\tosrfusb.sys (Bluetooth USB Miniport Driver/TOSHIBA CORPORATION) [MANUAL] tosrfusb
Service Windows Workflow Foundation 3.0.0.0

---- EOF - GMER 1.0.15 ----


I could not find any
---- User code sections - GMER 1.0.15 ----
nor any line which looked like the ones you described, the only svchost entries did not have any numbers in brankets

first thought to not proceed, but in the end also did run 'Process Explorer' where there had been 4 entries of svchost, numbered 1416, 1456, 1564 and 1624, all saying being a Generic Host Process for WIN32 Services