also @ TechSpot: Xbox One: Entertainment Hub First, Gaming Console Second -- But Could It Disrupt TV?

Aggressive, unremovable rootkit infection

Discussion in 'Virus and Malware Removal' started by videoart, Dec 17, 2011.

Post New Reply
Page 3 of 4

  1. videoart Newcomer, in training Posts: 40

    No luck so far. Still getting the Error 720 message. Used Dial-a-Fix and there were no missing files.
    videoart, Dec 21, 2011
    #41

  2. Broni Malware Annihilator Posts: 39,370   +175

    Please post new GMER log.
    Broni, Dec 21, 2011
    #42

  3. videoart Newcomer, in training Posts: 40

    GMER log 1

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-21 20:07:23
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9120821AS rev.7.24
    Running: q90eu4v7.exe; Driver: C:\DOCUME~1\CHRISW~1\LOCALS~1\Temp\pgliipoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xAA3FFFC4]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xAA464510]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xAA4236A9]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xAA402456]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xAA4024AE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xAA4025C4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xAA42305D]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xAA4023AC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xAA4024FE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xAA402400]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xAA402572]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xAA3FFFE8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xAA423D6F]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xAA424025]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xAA402848]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAA423BDA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAA423A45]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xAA4645C0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xAA3FFDB2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xAA40000C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xAA4029BC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xAA400AA4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xAA402486]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xAA4024D6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xAA4025EE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xAA4233B9]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xAA4023D8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xAA402680]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xAA40253E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xAA40242E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xAA402764]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xAA40259C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xAA464658]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xAA4238C0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xAA40096A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xAA423712]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAA46C9E6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xAA4226D0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xAA400030]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xAA400054]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xAA3FFE0C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xAA3FFF48]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xAA423E76]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xAA3FFF24]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xAA3FFF6C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xAA400078]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAA4787A2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2C88 80503B48 4 Bytes [E8, FF, 3F, AA]
    PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A4F86 4 Bytes CALL AA40100F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BAF94 5 Bytes JMP AA47569C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject 805C18CA 5 Bytes JMP AA47715C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFA64 7 Bytes JMP AA4787A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    .text win32k.sys!EngSetLastError + 757E BF8238B7 5 Bytes JMP AA402B9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGetCurrentCodePage + 415A BF885EC6 5 Bytes JMP AA402F76 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGradientFill + 1899 BF8A5890 5 Bytes JMP AA402ABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngStretchBltROP + 4033 BF8ADEF1 5 Bytes JMP AA402DE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngStretchBltROP + 40BE BF8ADF7C 5 Bytes JMP AA402FBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngStretchBltROP + 45FA BF8AE4B8 5 Bytes JMP AA402C0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngStretchBltROP + A168 BF8B4026 5 Bytes JMP AA402AD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngAlphaBlend + 3E8 BF8C35B4 5 Bytes JMP AA402CA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngFillPath + 2B41 BF8E1AEF 5 Bytes JMP AA402D14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngFillPath + 2DC1 BF8E1D6F 5 Bytes JMP AA402D4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngDeleteSemaphore + 3B5F BF8F2C27 5 Bytes JMP AA4029F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 1994 BF911381 5 Bytes JMP AA402B56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 2568 BF911F55 5 Bytes JMP AA402C6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 4EC2 BF9148AF 5 Bytes JMP AA4030D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xA9ABEF00, 0x24000, 0x48000000]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 003A0A08
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 003A0804
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 003A0600
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003A01F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003A03FC
    .text C:\WINDOWS\system32\spoolsv.exe[184] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\spoolsv.exe[184] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\spoolsv.exe[184] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\spoolsv.exe[184] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\Explorer.EXE[544] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002C1014
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002C0804
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002C0C0C
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002C0E10
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002C0600
    .text C:\WINDOWS\Explorer.EXE[544] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002D0A08
    .text C:\WINDOWS\Explorer.EXE[544] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002D0804
    .text C:\WINDOWS\Explorer.EXE[544] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002D0600
    .text C:\WINDOWS\Explorer.EXE[544] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002D01F8
    .text C:\WINDOWS\Explorer.EXE[544] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002D03FC
    .text C:\WINDOWS\System32\smss.exe[784] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\hkcmd.exe[884] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
    .text C:\WINDOWS\system32\hkcmd.exe[884] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\hkcmd.exe[884] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
    .text C:\WINDOWS\system32\hkcmd.exe[884] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
    .text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
    .text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
    .text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
    .text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
    .text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
    .text C:\WINDOWS\system32\igfxtray.exe[900] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
    .text C:\WINDOWS\system32\igfxtray.exe[900] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\igfxtray.exe[900] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
    .text C:\WINDOWS\system32\igfxtray.exe[900] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
    .text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
    .text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
    .text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
    .text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
    .text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
    .text C:\WINDOWS\system32\igfxpers.exe[908] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
    .text C:\WINDOWS\system32\igfxpers.exe[908] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\igfxpers.exe[908] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
    .text C:\WINDOWS\system32\igfxpers.exe[908] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
    .text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
    .text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
    .text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
    .text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
    .text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
    .text C:\WINDOWS\system32\csrss.exe[912] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\csrss.exe[912] KERNEL32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[936] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000701F8
    .text C:\WINDOWS\system32\winlogon.exe[936] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[936] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000703FC
    .text C:\WINDOWS\system32\winlogon.exe[936] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\services.exe[980] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\services.exe[980] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\services.exe[980] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\services.exe[980] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\services.exe[980] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\services.exe[980] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\services.exe[980] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\services.exe[980] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\services.exe[980] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\lsass.exe[992] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\lsass.exe[992] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\lsass.exe[992] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\lsass.exe[992] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes
    videoart, Dec 21, 2011
    #43

  4. videoart Newcomer, in training Posts: 40

    GMER log 2

    JMP 002C0600
    .text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\Documents and Settings\Chris Wright\Desktop\q90eu4v7.exe[1084] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\Documents and Settings\Chris Wright\Desktop\q90eu4v7.exe[1084] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 004E0A08
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 004E0804
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 004E0600
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 004E01F8
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 004E03FC
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 004F1014
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 004F0804
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 004F0A08
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 004F0C0C
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 004F0E10
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 004F01F8
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 004F03FC
    .text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 004F0600
    .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 003B1014
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 003B0804
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 003B0A08
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 003B0C0C
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 003B0E10
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003B01F8
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003B03FC
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 003B0600
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 003C0A08
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 003C0804
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 003C0600
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003C01F8
    .text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003C03FC
    .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1192] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1192] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
    .text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
    .text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\igfxext.exe[1572] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
    .text C:\WINDOWS\system32\igfxext.exe[1572] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\igfxext.exe[1572] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
    .text C:\WINDOWS\system32\igfxext.exe[1572] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
    .text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
    .text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
    .text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
    .text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
    .text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1796] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1796] kernel32.dll!SetUnhandledExceptionFilter 7C8447B5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1796] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 003A0A08
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 003A0804
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 003A0600
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003A01F8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003A03FC
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\wscntfy.exe[2784] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002D0A08
    .text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002D0804
    .text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002D0600
    .text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002D01F8
    .text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002D03FC
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002E1014
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002E0804
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002E0600
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000A01F8
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000A03FC
    .text C:\WINDOWS\system32\wuauclt.exe[3488] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
    .text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002D0A08
    .text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002D0804
    .text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002D0600
    .text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002D01F8
    .text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002D03FC
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002E1014
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002E0804
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002E0600

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[980] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005E0002
    IAT C:\WINDOWS\system32\services.exe[980] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005E0000

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

    ---- EOF - GMER 1.0.15 ----
    videoart, Dec 21, 2011
    #44

  5. Broni Malware Annihilator Posts: 39,370   +175

    It's clean.

    Let's try FSS again.
    This is a new version so delete old one and download new one.

    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.
    Broni, Dec 21, 2011
    #45

  6. videoart Newcomer, in training Posts: 40

    Farbar Service Scanner
    Ran by Chris Wright (administrator) on 21-12-2011 at 20:18:20
    Microsoft Windows XP Professional Service Pack 2 (X86)
    ********************************************************

    Internet Services:
    =================
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Nsi Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open Nsi registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open Nsi registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open Nsi registry key. The service key does not exist.

    Tcpip Service is not running. Checking service configuration:
    The start type of Tcpip service is OK.
    The ImagePath of Tcpip service is OK.


    Connection Status:
    =================
    Localhost is blocked.
    There is no connection to network.
    Attempt to access Google IP returned error: Other errors
    Attempt to access Yahoo IP returend error: Other errors


    Windows Firewall:
    ================
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.


    Firewall Disabled Policy:
    ========================


    System Restore:
    ==============

    System Restore Disabled Policy:
    ==============================


    File Check:
    ==========
    C:\WINDOWS\system32\dhcpcsvc.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0112128 ____A (Microsoft Corporation) 3F15A1DBD86F7BDAF404648282D11ECE

    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2004-08-03 15:14] - [2004-08-03 15:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

    C:\WINDOWS\system32\Drivers\tcpip.sys
    [2006-08-15 15:22] - [2006-08-15 15:22] - 0360576 ____A (Microsoft Corporation) B2220C618B42A2212A59D91EBD6FC4B4

    C:\WINDOWS\system32\Drivers\ipsec.sys
    [2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

    C:\WINDOWS\system32\dnsrslvr.dll
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

    C:\WINDOWS\system32\ipnathlp.dll
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

    C:\WINDOWS\system32\netman.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0197632 ____A (Microsoft Corporation) 3516D8A18B36784B1005B950B84232E1

    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2010-11-30 15:29] - [2004-08-03 16:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

    C:\WINDOWS\system32\srsvc.dll
    [2010-11-30 15:31] - [2004-08-03 16:56] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

    C:\WINDOWS\system32\Drivers\sr.sys
    [2010-11-30 15:31] - [2004-08-03 15:06] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

    C:\WINDOWS\system32\svchost.exe
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

    C:\WINDOWS\system32\rpcss.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0398848 ____A (Microsoft Corporation) B4432F04B0507F332AA6232AB35A3233

    C:\WINDOWS\system32\services.exe
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4


    **** End of log ****
    videoart, Dec 21, 2011
    #46
     

  7. Broni Malware Annihilator Posts: 39,370   +175

    We have another registry key missing - Nsi Service
    Do you have another computer running XP?
    Broni, Dec 21, 2011
    #47

  8. videoart Newcomer, in training Posts: 40

    The laptop I'm using is.
    videoart, Dec 21, 2011
    #48

  9. Broni Malware Annihilator Posts: 39,370   +175

    On your laptop....

    Go Start>Run, type in:
    regedit
    Click OK.

    In Registry Editor navigate to:
    HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services
    Click on "+" sign next to it to expand that key.
    Scroll down to Nsi key.
    Right click on it, click "Export".
    Save the file to some known location as Nsi (.reg extension will be added automatically).

    Using USB flash drive transfer the file to bad computer.
    Right click on Nsi.reg file, click "Merge".
    Allow registry merge.
    Restart computer.
    Post new FSS log.

    P.S. Can you zip that file and attach it to your next reply?
    It may help me while working on other computers.
    Broni, Dec 21, 2011
    #49

  10. videoart Newcomer, in training Posts: 40

    Unfortunately, neither the laptop nor my desktop (which also runs XP) has the Nsi key. It jumps from Npfs to Ntfs.
    videoart, Dec 21, 2011
    #50

  11. Broni Malware Annihilator Posts: 39,370   +175

    This is strange.
    Are you sure you're in correct registry section?
    Is your laptop fully updated?
    Broni, Dec 21, 2011
    #51

  12. videoart Newcomer, in training Posts: 40

    In the correct section, and using SP2.
    videoart, Dec 21, 2011
    #52

  13. Broni Malware Annihilator Posts: 39,370   +175

    Let me ask tool creator.
    It may be a while...
    Broni, Dec 21, 2011
    #53

  14. videoart Newcomer, in training Posts: 40

    Any word from tool creator?
    videoart, Dec 23, 2011
    #54

  15. Broni Malware Annihilator Posts: 39,370   +175

    Oh yeah, sorry about it.
    .
    Post new FSS log.
    Broni, Dec 23, 2011
    #55

  16. videoart Newcomer, in training Posts: 40

    Farbar Service Scanner
    Ran by Chris Wright (administrator) on 23-12-2011 at 21:01:34
    Microsoft Windows XP Professional Service Pack 2 (X86)
    ********************************************************

    Internet Services:
    =================
    Dhcp Service is not running. Checking service configuration:
    The start type of Dhcp service is OK.
    The ImagePath of Dhcp service is OK.
    The ServiceDll of Dhcp service is OK.

    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is OK.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.

    Nsi Service is not running. Checking service configuration:
    Checking Start type: Attention! Unable to open Nsi registry key. The service key does not exist.
    Checking ImagePath: Attention! Unable to open Nsi registry key. The service key does not exist.
    Checking ServiceDll: Attention! Unable to open Nsi registry key. The service key does not exist.

    Tcpip Service is not running. Checking service configuration:
    The start type of Tcpip service is OK.
    The ImagePath of Tcpip service is OK.


    Connection Status:
    =================
    Localhost is blocked.
    There is no connection to network.
    Attempt to access Google IP returned error: Other errors
    Attempt to access Yahoo IP returend error: Other errors


    Windows Firewall:
    ================
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.


    Firewall Disabled Policy:
    ========================


    System Restore:
    ==============

    System Restore Disabled Policy:
    ==============================


    File Check:
    ==========
    C:\WINDOWS\system32\dhcpcsvc.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0112128 ____A (Microsoft Corporation) 3F15A1DBD86F7BDAF404648282D11ECE

    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys
    [2004-08-03 15:14] - [2004-08-03 15:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

    C:\WINDOWS\system32\Drivers\tcpip.sys
    [2006-08-15 15:22] - [2006-08-15 15:22] - 0360576 ____A (Microsoft Corporation) B2220C618B42A2212A59D91EBD6FC4B4

    C:\WINDOWS\system32\Drivers\ipsec.sys
    [2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

    C:\WINDOWS\system32\dnsrslvr.dll
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D

    C:\WINDOWS\system32\ipnathlp.dll
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF

    C:\WINDOWS\system32\netman.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0197632 ____A (Microsoft Corporation) 3516D8A18B36784B1005B950B84232E1

    C:\WINDOWS\system32\wbem\WMIsvc.dll
    [2010-11-30 15:29] - [2004-08-03 16:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E

    C:\WINDOWS\system32\srsvc.dll
    [2010-11-30 15:31] - [2004-08-03 16:56] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838

    C:\WINDOWS\system32\Drivers\sr.sys
    [2010-11-30 15:31] - [2004-08-03 15:06] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24

    C:\WINDOWS\system32\svchost.exe
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

    C:\WINDOWS\system32\rpcss.dll
    [2006-08-15 15:21] - [2006-08-15 15:21] - 0398848 ____A (Microsoft Corporation) B4432F04B0507F332AA6232AB35A3233

    C:\WINDOWS\system32\services.exe
    [2004-08-03 16:56] - [2004-08-03 16:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4


    **** End of log ****
    videoart, Dec 23, 2011
    #56

  17. Broni Malware Annihilator Posts: 39,370   +175

    Go Start>Run (Start search in Vista and 7), type in:
    cmd
    Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

    At Command Prompt, type in:
    netsh int ip reset reset.log
    Hit Enter.
    Type in:
    netsh winsock reset catalog
    Hit Enter.

    Apply Fixit from: http://support.microsoft.com/kb/811259/en-us

    Restart computer.
    NOTE for Windows XP users. You may need to apply manual fix from the above link.
    Broni, Dec 23, 2011
    #57

  18. videoart Newcomer, in training Posts: 40

    Entered the commands and applied the FixIt. No luck. Error 720 again.
    videoart, Dec 23, 2011
    #58

  19. videoart Newcomer, in training Posts: 40

    Of note may be the fact my 1394 Connection reads as Connected in Network Connections, even after unplugging the USB modem.
    videoart, Dec 23, 2011
    #59

  20. Broni Malware Annihilator Posts: 39,370   +175

    ...
    Broni, Dec 23, 2011
    #60
Page 3 of 4

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.