Aggressive, unremovable rootkit infection

Solved
By videoart
Dec 17, 2011
  1. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Read my previous reply.
  2. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    Farbar Service Scanner
    Ran by Chris Wright (administrator) on 19-12-2011 at 20:14:05
    Microsoft Windows XP Professional Service Pack 2 (X86)
    ********************************************************

    Service Check:
    ==============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Tcpip Service is not running. Checking service configuration:
    The start type of Tcpip service is OK.
    The ImagePath of Tcpip service is OK.

    IpSec Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open IpSec registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open IpSec registry key. The service key does not exist.


    File Check:
    ===========
    C:\WINDOWS\system32\svchost.exe
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

    C:\WINDOWS\system32\rpcss.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0398848 ____A (Microsoft Corporation) B4432F04B0507F332AA6232AB35A3233

    C:\WINDOWS\system32\services.exe
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

    C:\WINDOWS\system32\dhcpcsvc.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0112128 ____A (Microsoft Corporation) 3F15A1DBD86F7BDAF404648282D11ECE

    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2004-08-03 15:14] - [2004-08-03 15:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

    C:\WINDOWS\system32\Drivers\tcpip.sys
    [2006-08-15 15:22] - [2006-08-15 15:22] - 0360576 ____A (Microsoft Corporation) B2220C618B42A2212A59D91EBD6FC4B4

    C:\WINDOWS\system32\Drivers\ipsec.sys
    [2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

    C:\WINDOWS\system32\dnsrslvr.dll
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D


    Connection Status:
    ==================
    Localhost is blocked.
    There is no connection to network.
    Attempt to access Google IP returned error: Other errors
    Attempt to access Yahoo IP returend error: Other errors

    **** End of log ****
  3. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    I'm guessing my problems are now out of the scope of what's handled here--can you recommend another forum where I can get the internet issue resolved?
  4. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    We can try to handle it here.

    It looks like you have one registry key missing.
    Let's see....

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :reg
      HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\ipsec /s
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  5. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    SystemLook 30.07.11 by jpshortstuff
    Log created at 22:37 on 20/12/2011 by Chris Wright
    Administrator - Elevation successful

    ========== reg ==========

    [HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\ipsec]
    (Unable to open key - key not found)

    -= EOF =-
  6. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Following steps involve registry editing. Please create new restore point before proceeding!!!
    How to:
    XP - http://support.microsoft.com/kb/948247
    Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/

    Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
    Unzip the file.
    You'll find six files inside.
    Right click on ipsec.reg file, click "Merge".
    Allow registry merge.

    Restart computer and let me know how it goes.
  7. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    Still the Error 720 message...No internet connection possible.
  8. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Post new Farbar Service Scanner log.
  9. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    Farbar Service Scanner
    Ran by Chris Wright (administrator) on 20-12-2011 at 22:52:29
    Microsoft Windows XP Service Pack 2 (X86)
    ********************************************************

    Service Check:
    ==============
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Tcpip Service is not running. Checking service configuration:
    The start type of Tcpip service is OK.
    The ImagePath of Tcpip service is OK.


    File Check:
    ===========
    C:\WINDOWS\system32\svchost.exe
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

    C:\WINDOWS\system32\rpcss.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0398848 ____A (Microsoft Corporation) B4432F04B0507F332AA6232AB35A3233

    C:\WINDOWS\system32\services.exe
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

    C:\WINDOWS\system32\dhcpcsvc.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0112128 ____A (Microsoft Corporation) 3F15A1DBD86F7BDAF404648282D11ECE

    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2004-08-03 15:14] - [2004-08-03 15:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

    C:\WINDOWS\system32\Drivers\tcpip.sys
    [2006-08-15 15:22] - [2006-08-15 15:22] - 0360576 ____A (Microsoft Corporation) B2220C618B42A2212A59D91EBD6FC4B4

    C:\WINDOWS\system32\Drivers\ipsec.sys
    [2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

    C:\WINDOWS\system32\dnsrslvr.dll
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D


    Connection Status:
    ==================
    Localhost is blocked.
    LAN connected.
    Attempt to access Google IP returned error: Other errors
    Attempt to access Yahoo IP returend error: Other errors

    **** End of log ****
  10. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    That looks good now.

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    ============================================================

    Please download MiniToolBox and run it.

    Checkmark following boxes:
    • Report IE Proxy Settings
    • Report FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Devices
    • List Users, Partitions and Memory size
    Click Go and post the result.
  11. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    111 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  12. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    MiniToolBox by Farbar
    Ran by Chris Wright (administrator) on 20-12-2011 at 23:05:37
    Microsoft Windows XP Professional Service Pack 2 (X86)

    ***************************************************************************

    ========================= IE Proxy Settings: ==============================

    Proxy is not enabled.
    No Proxy Server is set.

    ========================= FF Proxy Settings: ==============================

    "network.proxy.http", "127.0.0.1"
    "network.proxy.http_port", 60667
    "network.proxy.type", 0
    ========================= Hosts content: =================================

    127.0.0.1 localhost

    ========================= IP Configuration: ================================

    1394 Net Adapter = 1394 Connection (Connected)
    Intel(R) PRO/100 VE Network Connection = Local Area Connection (Media disconnected)
    Intel(R) PRO/Wireless 3945ABG Network Connection = Wireless Network Connection (Media disconnected)


    # ----------------------------------
    # Interface IP Configuration
    # ----------------------------------
    pushd interface ip



    popd
    # End of interface IP configuration




    Windows IP Configuration



    An internal error occurred: The request is not supported.



    Please contact Microsoft Product Support Services for further help.



    Additional information: Unable to query host name.

    Server: UnKnown
    Address: 127.0.0.1

    Ping request could not find host google.com. Please check the name and try again.

    Server: UnKnown
    Address: 127.0.0.1

    Ping request could not find host yahoo.com. Please check the name and try again.

    Server: UnKnown
    Address: 127.0.0.1

    Ping request could not find host bleepingcomputer.com. Please check the name and try again.

    Unable to contact IP driver, error code 2,

    ========================= Winsock entries =====================================

    Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
    Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog5 04 C:\Windows\System32\nwprovau.dll [144384] (Microsoft Corporation)
    Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 05 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
    Catalog9 18 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
    Catalog9 19 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)

    ========================= Event log errors: ===============================

    Application errors:
    ==================
    Error: (12/20/2011 10:54:19 PM) (Source: JavaQuickStarterService) (User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/20/2011 10:47:04 PM) (Source: JavaQuickStarterService) (User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/20/2011 10:37:21 PM) (Source: JavaQuickStarterService) (User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/20/2011 04:26:16 PM) (Source: JavaQuickStarterService) (User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/20/2011 04:21:56 PM) (Source: JavaQuickStarterService) (User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/19/2011 07:57:34 PM) (Source: JavaQuickStarterService) (User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/19/2011 07:45:25 PM) (Source: JavaQuickStarterService) (User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/19/2011 07:08:49 PM) (Source: JavaQuickStarterService) (User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/19/2011 05:04:06 PM) (Source: JavaQuickStarterService) (User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/19/2011 04:46:43 PM) (Source: JavaQuickStarterService) (User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)


    System errors:
    =============
    Error: (12/20/2011 11:05:38 PM) (Source: Service Control Manager) (User: )
    Description: The TCP/IP Protocol Driver service failed to start due to the following error:
    %%2

    Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
    Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
    %%1075

    Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
    Description: The TCP/IP Protocol Driver service depends on the following nonexistent service: IPSec

    Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
    Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
    %%1075

    Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
    Description: The TCP/IP Protocol Driver service depends on the following nonexistent service: IPSec

    Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
    Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
    %%1075

    Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
    Description: The TCP/IP Protocol Driver service depends on the following nonexistent service: IPSec

    Error: (12/20/2011 10:37:27 PM) (Source: Service Control Manager) (User: )
    Description: The following boot-start or system-start driver(s) failed to load:
    Tcpip

    Error: (12/20/2011 10:37:27 PM) (Source: Service Control Manager) (User: )
    Description: The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
    %%2

    Error: (12/20/2011 10:37:26 PM) (Source: Service Control Manager) (User: )
    Description: The Universal Plug and Play Device Host service depends on the SSDP Discovery Service service which failed to start because of the following error:
    %%0


    Microsoft Office Sessions:
    =========================
    Error: (12/20/2011 10:54:19 PM) (Source: JavaQuickStarterService)(User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/20/2011 10:47:04 PM) (Source: JavaQuickStarterService)(User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/20/2011 10:37:21 PM) (Source: JavaQuickStarterService)(User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/20/2011 04:26:16 PM) (Source: JavaQuickStarterService)(User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/20/2011 04:21:56 PM) (Source: JavaQuickStarterService)(User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/19/2011 07:57:34 PM) (Source: JavaQuickStarterService)(User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/19/2011 07:45:25 PM) (Source: JavaQuickStarterService)(User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/19/2011 07:08:49 PM) (Source: JavaQuickStarterService)(User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/19/2011 05:04:06 PM) (Source: JavaQuickStarterService)(User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)

    Error: (12/19/2011 04:46:43 PM) (Source: JavaQuickStarterService)(User: )
    Description: Unable to create JQS API server: bind() failed (Socket error 10050)


    ========================= Devices: ================================

    Name: Modem Device on High Definition Audio Bus
    Description: Modem Device on High Definition Audio Bus
    Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Manufacturer:
    Service:
    Problem: : The drivers for this device are not installed. (Code 28)
    Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

    Name: Base System Device
    Description: Base System Device
    Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Manufacturer:
    Service:
    Problem: : The drivers for this device are not installed. (Code 28)
    Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

    Name: Base System Device
    Description: Base System Device
    Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Manufacturer:
    Service:
    Problem: : The drivers for this device are not installed. (Code 28)
    Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

    Name: Base System Device
    Description: Base System Device
    Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Manufacturer:
    Service:
    Problem: : The drivers for this device are not installed. (Code 28)
    Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


    ========================= Memory info: ===================================

    Percentage of memory in use: 26%
    Total physical RAM: 1013.98 MB
    Available physical RAM: 745.36 MB
    Total Pagefile: 2441.38 MB
    Available Pagefile: 2293.48 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1984.61 MB

    ========================= Partitions: =====================================

    1 Drive c: () (Fixed) (Total:111.78 GB) (Free:24.98 GB) NTFS
    4 Drive g: (TOSHIBA) (Removable) (Total:14.94 GB) (Free:12.16 GB) FAT32

    ========================= Users: ========================================

    User accounts for \\COMPUTER_1

    Administrator Chris Wright Guest
    HelpAssistant SUPPORT_388945a0


    **** End of log ****
  13. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    It looks like we have a problem with Tcpip Service.

    Make sure, your settings are correct.
    1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)
    2. Double click Network Connections (Vista/7 users: Network and Sharing Center)
    3. Vista/7 users - From the list of tasks on the left, click Manage network connections.
    4. For a wired network connection, right-click Local Area Connection, and then select Properties.
    For a wireless network connection, right-click Wireless Network Connection, and then select Properties.
    5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol version 4 (TCP/IPv4), make sure it is checked, and then click Properties
    6. Make sure Obtain an IP Address Automatically and Obtain DNS server address Automatically are checked.
    7. Click on "Advanced" button and make sure "IP Settings" tab looks like this:
    [​IMG]
    Make sure "DNS" tab looks like this:
    [​IMG]
    Make sure "WINS" tab looks like this:
    [​IMG]
    8. Still in Control Panel double click on "Internet options" then "Connections" tab then "LAN Settings" button. Make sure "Automatically detect settings" is checked.
    If you made any changes OK your way out.
    Restart computer.


    If that doesn't work...
    Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
    Reconnect everything.
    Restart computer.

    If that doesn't work, bypass router, and connect computer straight to the modem.

    If that doesn't work...
    Go Start>Run (Start search in Vista), type in:
    cmd
    Click OK (in Vista and 7, while holding CTRL, and SHIFT, press Enter).

    In Command Prompt window, type in following commands, and hit Enter after each one:
    ipconfig /flushdns
    ipconfig /registerdns
    ipconfig /release
    ipconfig /renew
    net stop "dns client"
    net start "dns client"


    Restart computer.

    If that doesn't work...
    Go Start>Run (Start search in Vista and 7), type in:
    cmd
    Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

    At Command Prompt, type in:
    netsh int ip reset reset.log
    Hit Enter.
    Type in:
    netsh winsock reset catalog
    Hit Enter.

    Restart computer.


    If that doesn't work...
    Download, install, and run WinSockFix: http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml (doesn't work in Vista and 7)
    Restart computer, and check again.

    If that doesn't work...
    Download Dial-A-Fix (DAF) (doesn't work in Vista and 7):
    http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles

    Have XP CD available in case DAF needs a file. Likely not!

    Check all boxes on the screen (clear any restrictions if it shows any)
    Then click GO!

    When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

    Here, one at a time, do the below:

    Reinstall BITS
    Reinstall Windows Firewall
    Repair Permissions
    Reset networking

    Watch for any File not found or other errors and make note as this may lead to the fix!

    Restart computer.
  14. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    At the ipconfig/flushdns stage, I'm getting the following:

    Windows IP Configuration

    An internal error occurred: The request is not supported.

    Please contact Microsoft Product Support Services for further help.

    Additional info: Unable to query host name.
  15. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Skip steps which won't work.
  16. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    No luck so far. Still getting the Error 720 message. Used Dial-a-Fix and there were no missing files.
  17. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Please post new GMER log.
  18. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    GMER log 1

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-21 20:07:23
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9120821AS rev.7.24
    Running: q90eu4v7.exe; Driver: C:\DOCUME~1\CHRISW~1\LOCALS~1\Temp\pgliipoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xAA3FFFC4]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xAA464510]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xAA4236A9]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xAA402456]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xAA4024AE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xAA4025C4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xAA42305D]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xAA4023AC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xAA4024FE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xAA402400]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xAA402572]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xAA3FFFE8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xAA423D6F]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xAA424025]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xAA402848]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAA423BDA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAA423A45]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xAA4645C0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xAA3FFDB2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xAA40000C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xAA4029BC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xAA400AA4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xAA402486]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xAA4024D6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xAA4025EE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xAA4233B9]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xAA4023D8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xAA402680]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xAA40253E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xAA40242E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xAA402764]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xAA40259C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xAA464658]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xAA4238C0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xAA40096A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xAA423712]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAA46C9E6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xAA4226D0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xAA400030]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xAA400054]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xAA3FFE0C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xAA3FFF48]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xAA423E76]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xAA3FFF24]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xAA3FFF6C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xAA400078]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAA4787A2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2C88 80503B48 4 Bytes [E8, FF, 3F, AA]
    PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A4F86 4 Bytes CALL AA40100F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BAF94 5 Bytes JMP AA47569C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject 805C18CA 5 Bytes JMP AA47715C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFA64 7 Bytes JMP AA4787A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    .text win32k.sys!EngSetLastError + 757E BF8238B7 5 Bytes JMP AA402B9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGetCurrentCodePage + 415A BF885EC6 5 Bytes JMP AA402F76 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGradientFill + 1899 BF8A5890 5 Bytes JMP AA402ABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngStretchBltROP + 4033 BF8ADEF1 5 Bytes JMP AA402DE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngStretchBltROP + 40BE BF8ADF7C 5 Bytes JMP AA402FBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngStretchBltROP + 45FA BF8AE4B8 5 Bytes JMP AA402C0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngStretchBltROP + A168 BF8B4026 5 Bytes JMP AA402AD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngAlphaBlend + 3E8 BF8C35B4 5 Bytes JMP AA402CA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngFillPath + 2B41 BF8E1AEF 5 Bytes JMP AA402D14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngFillPath + 2DC1 BF8E1D6F 5 Bytes JMP AA402D4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngDeleteSemaphore + 3B5F BF8F2C27 5 Bytes JMP AA4029F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 1994 BF911381 5 Bytes JMP AA402B56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 2568 BF911F55 5 Bytes JMP AA402C6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 4EC2 BF9148AF 5 Bytes JMP AA4030D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xA9ABEF00, 0x24000, 0x48000000]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 003A0A08
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 003A0804
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 003A0600
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003A01F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003A03FC
    .text C:\WINDOWS\system32\spoolsv.exe[184] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\spoolsv.exe[184] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\spoolsv.exe[184] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\spoolsv.exe[184] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\Explorer.EXE[544] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002C1014
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002C0804
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002C0C0C
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002C0E10
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002C0600
    .text C:\WINDOWS\Explorer.EXE[544] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002D0A08
    .text C:\WINDOWS\Explorer.EXE[544] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002D0804
    .text C:\WINDOWS\Explorer.EXE[544] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002D0600
    .text C:\WINDOWS\Explorer.EXE[544] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002D01F8
    .text C:\WINDOWS\Explorer.EXE[544] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002D03FC
    .text C:\WINDOWS\System32\smss.exe[784] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\hkcmd.exe[884] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
    .text C:\WINDOWS\system32\hkcmd.exe[884] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\hkcmd.exe[884] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
    .text C:\WINDOWS\system32\hkcmd.exe[884] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
    .text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
    .text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
    .text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
    .text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
    .text C:\WINDOWS\system32\igfxtray.exe[900] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
    .text C:\WINDOWS\system32\igfxtray.exe[900] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\igfxtray.exe[900] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
    .text C:\WINDOWS\system32\igfxtray.exe[900] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
    .text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
    .text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
    .text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
    .text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
    .text C:\WINDOWS\system32\igfxpers.exe[908] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
    .text C:\WINDOWS\system32\igfxpers.exe[908] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\igfxpers.exe[908] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
    .text C:\WINDOWS\system32\igfxpers.exe[908] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
    .text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
    .text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
    .text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
    .text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
    .text C:\WINDOWS\system32\csrss.exe[912] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\csrss.exe[912] KERNEL32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[936] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000701F8
    .text C:\WINDOWS\system32\winlogon.exe[936] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[936] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000703FC
    .text C:\WINDOWS\system32\winlogon.exe[936] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\services.exe[980] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\services.exe[980] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\services.exe[980] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\services.exe[980] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\services.exe[980] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\services.exe[980] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\services.exe[980] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\services.exe[980] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\services.exe[980] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\lsass.exe[992] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\lsass.exe[992] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\lsass.exe[992] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\lsass.exe[992] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes
  19. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    GMER log 2

    JMP 002C0600
    .text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\Documents and Settings\Chris Wright\Desktop\q90eu4v7.exe[1084] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\Documents and Settings\Chris Wright\Desktop\q90eu4v7.exe[1084] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 004E0A08
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 004E0804
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 004E0600
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 004E01F8
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 004E03FC
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 004F1014
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 004F0804
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 004F0A08
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 004F0C0C
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 004F0E10
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 004F01F8
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 004F03FC
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 004F0600
    .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 003B1014
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 003B0804
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 003B0A08
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 003B0C0C
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 003B0E10
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003B01F8
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003B03FC
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 003B0600
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 003C0A08
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 003C0804
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 003C0600
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003C01F8
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003C03FC
    .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1192] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1192] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
    .text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\igfxext.exe[1572] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
    .text C:\WINDOWS\system32\igfxext.exe[1572] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\igfxext.exe[1572] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
    .text C:\WINDOWS\system32\igfxext.exe[1572] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
    .text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
    .text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
    .text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
    .text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1796] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1796] kernel32.dll!SetUnhandledExceptionFilter 7C8447B5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1796] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 003A0A08
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 003A0804
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 003A0600
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003A01F8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003A03FC
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\wscntfy.exe[2784] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002D0A08
    .text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002D0804
    .text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002D0600
    .text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002D01F8
    .text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002D03FC
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002E1014
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002E0804
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002E0600
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000A01F8
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000A03FC
    .text C:\WINDOWS\system32\wuauclt.exe[3488] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002D0A08
    .text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002D0804
    .text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002D0600
    .text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002D01F8
    .text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002D03FC
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002E1014
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002E0804
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002E0600

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[980] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005E0002
    IAT C:\WINDOWS\system32\services.exe[980] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005E0000

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

    ---- EOF - GMER 1.0.15 ----
  20. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    It's clean.

    Let's try FSS again.
    This is a new version so delete old one and download new one.

    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
  21. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    Farbar Service Scanner
    Ran by Chris Wright (administrator) on 21-12-2011 at 20:18:20
    Microsoft Windows XP Professional Service Pack 2 (X86)
    ********************************************************

    Internet Services:
    =================
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Nsi Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open Nsi registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open Nsi registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open Nsi registry key. The service key does not exist.

    Tcpip Service is not running. Checking service configuration:
    The start type of Tcpip service is OK.
    The ImagePath of Tcpip service is OK.


    Connection Status:
    =================
    Localhost is blocked.
    There is no connection to network.
    Attempt to access Google IP returned error: Other errors
    Attempt to access Yahoo IP returend error: Other errors


    Windows Firewall:
    ================
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.


    Firewall Disabled Policy:
    ========================


    System Restore:
    ==============

    System Restore Disabled Policy:
    ==============================


    File Check:
    ==========
    C:\WINDOWS\system32\dhcpcsvc.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0112128 ____A (Microsoft Corporation) 3F15A1DBD86F7BDAF404648282D11ECE

    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2004-08-03 15:14] - [2004-08-03 15:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

    C:\WINDOWS\system32\Drivers\tcpip.sys
    [2006-08-15 15:22] - [2006-08-15 15:22] - 0360576 ____A (Microsoft Corporation) B2220C618B42A2212A59D91EBD6FC4B4

    C:\WINDOWS\system32\Drivers\ipsec.sys
    [2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

    C:\WINDOWS\system32\dnsrslvr.dll
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

    C:\WINDOWS\system32\ipnathlp.dll
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

    C:\WINDOWS\system32\netman.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0197632 ____A (Microsoft Corporation) 3516D8A18B36784B1005B950B84232E1

    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2010-11-30 15:29] - [2004-08-03 16:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

    C:\WINDOWS\system32\srsvc.dll
    [2010-11-30 15:31] - [2004-08-03 16:56] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

    C:\WINDOWS\system32\Drivers\sr.sys
    [2010-11-30 15:31] - [2004-08-03 15:06] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

    C:\WINDOWS\system32\svchost.exe
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

    C:\WINDOWS\system32\rpcss.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0398848 ____A (Microsoft Corporation) B4432F04B0507F332AA6232AB35A3233

    C:\WINDOWS\system32\services.exe
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4


    **** End of log ****
  22. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    We have another registry key missing - Nsi Service
    Do you have another computer running XP?
  23. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    The laptop I'm using is.
  24. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    On your laptop....

    Go Start>Run, type in:
    regedit
    Click OK.

    In Registry Editor navigate to:
    HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services
    Click on "+" sign next to it to expand that key.
    Scroll down to Nsi key.
    Right click on it, click "Export".
    Save the file to some known location as Nsi (.reg extension will be added automatically).

    Using USB flash drive transfer the file to bad computer.
    Right click on Nsi.reg file, click "Merge".
    Allow registry merge.
    Restart computer.
    Post new FSS log.

    P.S. Can you zip that file and attach it to your next reply?
    It may help me while working on other computers.
  25. videoart

    videoart Newcomer, in training Topic Starter Posts: 40

    Unfortunately, neither the laptop nor my desktop (which also runs XP) has the Nsi key. It jumps from Npfs to Ntfs.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.