Solved Aggressive, unremovable rootkit infection
- Thread starter videoart
- Start date
Farbar Service Scanner
Ran by Chris Wright (administrator) on 19-12-2011 at 20:14:05
Microsoft Windows XP Professional Service Pack 2 (X86)
********************************************************
Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.
IpSec Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open IpSec registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open IpSec registry key. The service key does not exist.
File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\system32\rpcss.dll
[2006-08-15 15:21] - [2006-08-15 15:21] - 0398848 ____A (Microsoft Corporation) B4432F04B0507F332AA6232AB35A3233
C:\WINDOWS\system32\services.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4
C:\WINDOWS\system32\dhcpcsvc.dll
[2006-08-15 15:21] - [2006-08-15 15:21] - 0112128 ____A (Microsoft Corporation) 3F15A1DBD86F7BDAF404648282D11ECE
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\system32\Drivers\tcpip.sys
[2006-08-15 15:22] - [2006-08-15 15:22] - 0360576 ____A (Microsoft Corporation) B2220C618B42A2212A59D91EBD6FC4B4
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-03 16:56] - [2004-08-03 16:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D
Connection Status:
==================
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors
**** End of log ****
Ran by Chris Wright (administrator) on 19-12-2011 at 20:14:05
Microsoft Windows XP Professional Service Pack 2 (X86)
********************************************************
Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.
IpSec Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open IpSec registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open IpSec registry key. The service key does not exist.
File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\system32\rpcss.dll
[2006-08-15 15:21] - [2006-08-15 15:21] - 0398848 ____A (Microsoft Corporation) B4432F04B0507F332AA6232AB35A3233
C:\WINDOWS\system32\services.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4
C:\WINDOWS\system32\dhcpcsvc.dll
[2006-08-15 15:21] - [2006-08-15 15:21] - 0112128 ____A (Microsoft Corporation) 3F15A1DBD86F7BDAF404648282D11ECE
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\system32\Drivers\tcpip.sys
[2006-08-15 15:22] - [2006-08-15 15:22] - 0360576 ____A (Microsoft Corporation) B2220C618B42A2212A59D91EBD6FC4B4
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-03 16:56] - [2004-08-03 16:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D
Connection Status:
==================
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors
**** End of log ****
Broni
Posts: 56,041 +516
We can try to handle it here.
It looks like you have one registry key missing.
Let's see....
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE
It looks like you have one registry key missing.
Let's see....
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE
- Double-click SystemLook.exe to run it.
- Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
- Copy the content of the following box and paste it into the main textfield:
Code::reg HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\ipsec /s - Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Broni
Posts: 56,041 +516
Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find six files inside.
Right click on ipsec.reg file, click "Merge".
Allow registry merge.
Restart computer and let me know how it goes.
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find six files inside.
Right click on ipsec.reg file, click "Merge".
Allow registry merge.
Restart computer and let me know how it goes.
Farbar Service Scanner
Ran by Chris Wright (administrator) on 20-12-2011 at 22:52:29
Microsoft Windows XP Service Pack 2 (X86)
********************************************************
Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.
File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\system32\rpcss.dll
[2006-08-15 15:21] - [2006-08-15 15:21] - 0398848 ____A (Microsoft Corporation) B4432F04B0507F332AA6232AB35A3233
C:\WINDOWS\system32\services.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4
C:\WINDOWS\system32\dhcpcsvc.dll
[2006-08-15 15:21] - [2006-08-15 15:21] - 0112128 ____A (Microsoft Corporation) 3F15A1DBD86F7BDAF404648282D11ECE
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\system32\Drivers\tcpip.sys
[2006-08-15 15:22] - [2006-08-15 15:22] - 0360576 ____A (Microsoft Corporation) B2220C618B42A2212A59D91EBD6FC4B4
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-03 16:56] - [2004-08-03 16:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D
Connection Status:
==================
Localhost is blocked.
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors
**** End of log ****
Ran by Chris Wright (administrator) on 20-12-2011 at 22:52:29
Microsoft Windows XP Service Pack 2 (X86)
********************************************************
Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.
File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\system32\rpcss.dll
[2006-08-15 15:21] - [2006-08-15 15:21] - 0398848 ____A (Microsoft Corporation) B4432F04B0507F332AA6232AB35A3233
C:\WINDOWS\system32\services.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4
C:\WINDOWS\system32\dhcpcsvc.dll
[2006-08-15 15:21] - [2006-08-15 15:21] - 0112128 ____A (Microsoft Corporation) 3F15A1DBD86F7BDAF404648282D11ECE
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\system32\Drivers\tcpip.sys
[2006-08-15 15:22] - [2006-08-15 15:22] - 0360576 ____A (Microsoft Corporation) B2220C618B42A2212A59D91EBD6FC4B4
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-03 16:56] - [2004-08-03 16:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D
Connection Status:
==================
Localhost is blocked.
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors
**** End of log ****
Broni
Posts: 56,041 +516
That looks good now.
Download Bootkit Remover to your Desktop.
============================================================
Please download MiniToolBox and run it.
Checkmark following boxes:
Download Bootkit Remover to your Desktop.
- Unzip downloaded file to your Desktop.
- Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
- It will show a Black screen with some data on it.
- Right click on the screen and click Select All.
- Press CTRL+C
- Open a Notepad and press CTRL+V
- Post the output back here.
============================================================
Please download MiniToolBox and run it.
Checkmark following boxes:
- Report IE Proxy Settings
- Report FF Proxy Settings
- List content of Hosts
- List IP configuration
- List Winsock Entries
- List last 10 Event Viewer log
- List Devices
- List Users, Partitions and Memory size
Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com
Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
Done;
Press any key to quit...
(c) 2009 Esage Lab
www.esagelab.com
Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)
System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
Size Device Name MBR Status
--------------------------------------------
111 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
Done;
Press any key to quit...
MiniToolBox by Farbar
Ran by Chris Wright (administrator) on 20-12-2011 at 23:05:37
Microsoft Windows XP Professional Service Pack 2 (X86)
***************************************************************************
========================= IE Proxy Settings: ==============================
Proxy is not enabled.
No Proxy Server is set.
========================= FF Proxy Settings: ==============================
"network.proxy.http", "127.0.0.1"
"network.proxy.http_port", 60667
"network.proxy.type", 0
========================= Hosts content: =================================
127.0.0.1 localhost
========================= IP Configuration: ================================
1394 Net Adapter = 1394 Connection (Connected)
Intel(R) PRO/100 VE Network Connection = Local Area Connection (Media disconnected)
Intel(R) PRO/Wireless 3945ABG Network Connection = Wireless Network Connection (Media disconnected)
# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip
popd
# End of interface IP configuration
Windows IP Configuration
An internal error occurred: The request is not supported.
Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
Server: UnKnown
Address: 127.0.0.1
Ping request could not find host google.com. Please check the name and try again.
Server: UnKnown
Address: 127.0.0.1
Ping request could not find host yahoo.com. Please check the name and try again.
Server: UnKnown
Address: 127.0.0.1
Ping request could not find host bleepingcomputer.com. Please check the name and try again.
Unable to contact IP driver, error code 2,
========================= Winsock entries =====================================
Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Windows\System32\nwprovau.dll [144384] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
========================= Event log errors: ===============================
Application errors:
==================
Error: (12/20/2011 10:54:19 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 10:47:04 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 10:37:21 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 04:26:16 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 04:21:56 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 07:57:34 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 07:45:25 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 07:08:49 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 05:04:06 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 04:46:43 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
System errors:
=============
Error: (12/20/2011 11:05:38 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP Protocol Driver service failed to start due to the following error:
%%2
Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%1075
Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP Protocol Driver service depends on the following nonexistent service: IPSec
Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%1075
Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP Protocol Driver service depends on the following nonexistent service: IPSec
Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%1075
Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP Protocol Driver service depends on the following nonexistent service: IPSec
Error: (12/20/2011 10:37:27 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Tcpip
Error: (12/20/2011 10:37:27 PM) (Source: Service Control Manager) (User: )
Description: The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
%%2
Error: (12/20/2011 10:37:26 PM) (Source: Service Control Manager) (User: )
Description: The Universal Plug and Play Device Host service depends on the SSDP Discovery Service service which failed to start because of the following error:
%%0
Microsoft Office Sessions:
=========================
Error: (12/20/2011 10:54:19 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 10:47:04 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 10:37:21 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 04:26:16 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 04:21:56 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 07:57:34 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 07:45:25 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 07:08:49 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 05:04:06 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 04:46:43 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
========================= Devices: ================================
Name: Modem Device on High Definition Audio Bus
Description: Modem Device on High Definition Audio Bus
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: Base System Device
Description: Base System Device
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: Base System Device
Description: Base System Device
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: Base System Device
Description: Base System Device
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
========================= Memory info: ===================================
Percentage of memory in use: 26%
Total physical RAM: 1013.98 MB
Available physical RAM: 745.36 MB
Total Pagefile: 2441.38 MB
Available Pagefile: 2293.48 MB
Total Virtual: 2047.88 MB
Available Virtual: 1984.61 MB
========================= Partitions: =====================================
1 Drive c: () (Fixed) (Total:111.78 GB) (Free:24.98 GB) NTFS
4 Drive g: (TOSHIBA) (Removable) (Total:14.94 GB) (Free:12.16 GB) FAT32
========================= Users: ========================================
User accounts for \\COMPUTER_1
Administrator Chris Wright Guest
HelpAssistant SUPPORT_388945a0
**** End of log ****
Ran by Chris Wright (administrator) on 20-12-2011 at 23:05:37
Microsoft Windows XP Professional Service Pack 2 (X86)
***************************************************************************
========================= IE Proxy Settings: ==============================
Proxy is not enabled.
No Proxy Server is set.
========================= FF Proxy Settings: ==============================
"network.proxy.http", "127.0.0.1"
"network.proxy.http_port", 60667
"network.proxy.type", 0
========================= Hosts content: =================================
127.0.0.1 localhost
========================= IP Configuration: ================================
1394 Net Adapter = 1394 Connection (Connected)
Intel(R) PRO/100 VE Network Connection = Local Area Connection (Media disconnected)
Intel(R) PRO/Wireless 3945ABG Network Connection = Wireless Network Connection (Media disconnected)
# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip
popd
# End of interface IP configuration
Windows IP Configuration
An internal error occurred: The request is not supported.
Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
Server: UnKnown
Address: 127.0.0.1
Ping request could not find host google.com. Please check the name and try again.
Server: UnKnown
Address: 127.0.0.1
Ping request could not find host yahoo.com. Please check the name and try again.
Server: UnKnown
Address: 127.0.0.1
Ping request could not find host bleepingcomputer.com. Please check the name and try again.
Unable to contact IP driver, error code 2,
========================= Winsock entries =====================================
Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 04 C:\Windows\System32\nwprovau.dll [144384] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\rsvpsp.dll [90112] (Microsoft Corporation)
========================= Event log errors: ===============================
Application errors:
==================
Error: (12/20/2011 10:54:19 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 10:47:04 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 10:37:21 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 04:26:16 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 04:21:56 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 07:57:34 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 07:45:25 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 07:08:49 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 05:04:06 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 04:46:43 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
System errors:
=============
Error: (12/20/2011 11:05:38 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP Protocol Driver service failed to start due to the following error:
%%2
Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%1075
Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP Protocol Driver service depends on the following nonexistent service: IPSec
Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%1075
Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP Protocol Driver service depends on the following nonexistent service: IPSec
Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%1075
Error: (12/20/2011 10:37:35 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP Protocol Driver service depends on the following nonexistent service: IPSec
Error: (12/20/2011 10:37:27 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Tcpip
Error: (12/20/2011 10:37:27 PM) (Source: Service Control Manager) (User: )
Description: The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error:
%%2
Error: (12/20/2011 10:37:26 PM) (Source: Service Control Manager) (User: )
Description: The Universal Plug and Play Device Host service depends on the SSDP Discovery Service service which failed to start because of the following error:
%%0
Microsoft Office Sessions:
=========================
Error: (12/20/2011 10:54:19 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 10:47:04 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 10:37:21 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 04:26:16 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/20/2011 04:21:56 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 07:57:34 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 07:45:25 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 07:08:49 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 05:04:06 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
Error: (12/19/2011 04:46:43 PM) (Source: JavaQuickStarterService)(User: )
Description: Unable to create JQS API server: bind() failed (Socket error 10050)
========================= Devices: ================================
Name: Modem Device on High Definition Audio Bus
Description: Modem Device on High Definition Audio Bus
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: Base System Device
Description: Base System Device
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: Base System Device
Description: Base System Device
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: Base System Device
Description: Base System Device
Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
========================= Memory info: ===================================
Percentage of memory in use: 26%
Total physical RAM: 1013.98 MB
Available physical RAM: 745.36 MB
Total Pagefile: 2441.38 MB
Available Pagefile: 2293.48 MB
Total Virtual: 2047.88 MB
Available Virtual: 1984.61 MB
========================= Partitions: =====================================
1 Drive c: () (Fixed) (Total:111.78 GB) (Free:24.98 GB) NTFS
4 Drive g: (TOSHIBA) (Removable) (Total:14.94 GB) (Free:12.16 GB) FAT32
========================= Users: ========================================
User accounts for \\COMPUTER_1
Administrator Chris Wright Guest
HelpAssistant SUPPORT_388945a0
**** End of log ****
Broni
Posts: 56,041 +516
It looks like we have a problem with Tcpip Service.
Make sure, your settings are correct.
1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)
2. Double click Network Connections (Vista/7 users: Network and Sharing Center)
3. Vista/7 users - From the list of tasks on the left, click Manage network connections.
4. For a wired network connection, right-click Local Area Connection, and then select Properties.
For a wireless network connection, right-click Wireless Network Connection, and then select Properties.
5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol version 4 (TCP/IPv4), make sure it is checked, and then click Properties
6. Make sure Obtain an IP Address Automatically and Obtain DNS server address Automatically are checked.
7. Click on "Advanced" button and make sure "IP Settings" tab looks like this:
Make sure "DNS" tab looks like this:
Make sure "WINS" tab looks like this:
8. Still in Control Panel double click on "Internet options" then "Connections" tab then "LAN Settings" button. Make sure "Automatically detect settings" is checked.
If you made any changes OK your way out.
Restart computer.
If that doesn't work...
Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
Reconnect everything.
Restart computer.
If that doesn't work, bypass router, and connect computer straight to the modem.
If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and 7, while holding CTRL, and SHIFT, press Enter).
In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"
Restart computer.
If that doesn't work...
Go Start>Run (Start search in Vista and 7), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).
At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.
Restart computer.
If that doesn't work...
Download, install, and run WinSockFix: http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml (doesn't work in Vista and 7)
Restart computer, and check again.
If that doesn't work...
Download Dial-A-Fix (DAF) (doesn't work in Vista and 7):
http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles
Have XP CD available in case DAF needs a file. Likely not!
Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!
When the entire page is finished click the HammerHead at bottom to go to the second DAF page.
Here, one at a time, do the below:
Reinstall BITS
Reinstall Windows Firewall
Repair Permissions
Reset networking
Watch for any File not found or other errors and make note as this may lead to the fix!
Restart computer.
Make sure, your settings are correct.
1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)
2. Double click Network Connections (Vista/7 users: Network and Sharing Center)
3. Vista/7 users - From the list of tasks on the left, click Manage network connections.
4. For a wired network connection, right-click Local Area Connection, and then select Properties.
For a wireless network connection, right-click Wireless Network Connection, and then select Properties.
5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol version 4 (TCP/IPv4), make sure it is checked, and then click Properties
6. Make sure Obtain an IP Address Automatically and Obtain DNS server address Automatically are checked.
7. Click on "Advanced" button and make sure "IP Settings" tab looks like this:
Make sure "DNS" tab looks like this:
Make sure "WINS" tab looks like this:
8. Still in Control Panel double click on "Internet options" then "Connections" tab then "LAN Settings" button. Make sure "Automatically detect settings" is checked.
If you made any changes OK your way out.
Restart computer.
If that doesn't work...
Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
Reconnect everything.
Restart computer.
If that doesn't work, bypass router, and connect computer straight to the modem.
If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and 7, while holding CTRL, and SHIFT, press Enter).
In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"
Restart computer.
If that doesn't work...
Go Start>Run (Start search in Vista and 7), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).
At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.
Restart computer.
If that doesn't work...
Download, install, and run WinSockFix: http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml (doesn't work in Vista and 7)
Restart computer, and check again.
If that doesn't work...
Download Dial-A-Fix (DAF) (doesn't work in Vista and 7):
http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles
Have XP CD available in case DAF needs a file. Likely not!
Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!
When the entire page is finished click the HammerHead at bottom to go to the second DAF page.
Here, one at a time, do the below:
Reinstall BITS
Reinstall Windows Firewall
Repair Permissions
Reset networking
Watch for any File not found or other errors and make note as this may lead to the fix!
Restart computer.
GMER log 1
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-21 20:07:23
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9120821AS rev.7.24
Running: q90eu4v7.exe; Driver: C:\DOCUME~1\CHRISW~1\LOCALS~1\Temp\pgliipoc.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xAA3FFFC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xAA464510]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xAA4236A9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xAA402456]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xAA4024AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xAA4025C4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xAA42305D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xAA4023AC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xAA4024FE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xAA402400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xAA402572]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xAA3FFFE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xAA423D6F]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xAA424025]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xAA402848]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAA423BDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAA423A45]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xAA4645C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xAA3FFDB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xAA40000C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xAA4029BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xAA400AA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xAA402486]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xAA4024D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xAA4025EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xAA4233B9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xAA4023D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xAA402680]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xAA40253E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xAA40242E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xAA402764]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xAA40259C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xAA464658]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xAA4238C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xAA40096A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xAA423712]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAA46C9E6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xAA4226D0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xAA400030]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xAA400054]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xAA3FFE0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xAA3FFF48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xAA423E76]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xAA3FFF24]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xAA3FFF6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xAA400078]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAA4787A2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2C88 80503B48 4 Bytes [E8, FF, 3F, AA]
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A4F86 4 Bytes CALL AA40100F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BAF94 5 Bytes JMP AA47569C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C18CA 5 Bytes JMP AA47715C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFA64 7 Bytes JMP AA4787A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text win32k.sys!EngSetLastError + 757E BF8238B7 5 Bytes JMP AA402B9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 415A BF885EC6 5 Bytes JMP AA402F76 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 1899 BF8A5890 5 Bytes JMP AA402ABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 4033 BF8ADEF1 5 Bytes JMP AA402DE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 40BE BF8ADF7C 5 Bytes JMP AA402FBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 45FA BF8AE4B8 5 Bytes JMP AA402C0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + A168 BF8B4026 5 Bytes JMP AA402AD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngAlphaBlend + 3E8 BF8C35B4 5 Bytes JMP AA402CA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 2B41 BF8E1AEF 5 Bytes JMP AA402D14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 2DC1 BF8E1D6F 5 Bytes JMP AA402D4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + 3B5F BF8F2C27 5 Bytes JMP AA4029F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 1994 BF911381 5 Bytes JMP AA402B56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 2568 BF911F55 5 Bytes JMP AA402C6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4EC2 BF9148AF 5 Bytes JMP AA4030D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xA9ABEF00, 0x24000, 0x48000000]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 003A0A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 003A0804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 003A0600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003A01F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003A03FC
.text C:\WINDOWS\system32\spoolsv.exe[184] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\spoolsv.exe[184] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[184] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\spoolsv.exe[184] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\Explorer.EXE[544] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002C1014
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002C0804
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002C0A08
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002C0E10
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002C01F8
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002C03FC
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002C0600
.text C:\WINDOWS\Explorer.EXE[544] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002D0A08
.text C:\WINDOWS\Explorer.EXE[544] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002D0804
.text C:\WINDOWS\Explorer.EXE[544] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002D0600
.text C:\WINDOWS\Explorer.EXE[544] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002D01F8
.text C:\WINDOWS\Explorer.EXE[544] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002D03FC
.text C:\WINDOWS\System32\smss.exe[784] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[884] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\hkcmd.exe[884] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[884] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\hkcmd.exe[884] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\igfxtray.exe[900] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\igfxtray.exe[900] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\igfxtray.exe[900] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\igfxtray.exe[900] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\igfxpers.exe[908] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\igfxpers.exe[908] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[908] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\igfxpers.exe[908] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\csrss.exe[912] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[912] KERNEL32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[936] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000701F8
.text C:\WINDOWS\system32\winlogon.exe[936] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[936] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000703FC
.text C:\WINDOWS\system32\winlogon.exe[936] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\services.exe[980] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\services.exe[980] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\services.exe[980] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\services.exe[980] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\services.exe[980] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\lsass.exe[992] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\lsass.exe[992] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[992] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\lsass.exe[992] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-21 20:07:23
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9120821AS rev.7.24
Running: q90eu4v7.exe; Driver: C:\DOCUME~1\CHRISW~1\LOCALS~1\Temp\pgliipoc.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xAA3FFFC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xAA464510]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xAA4236A9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xAA402456]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xAA4024AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xAA4025C4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xAA42305D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xAA4023AC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xAA4024FE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xAA402400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xAA402572]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xAA3FFFE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xAA423D6F]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xAA424025]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xAA402848]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAA423BDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAA423A45]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xAA4645C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xAA3FFDB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xAA40000C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xAA4029BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xAA400AA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xAA402486]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xAA4024D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xAA4025EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xAA4233B9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xAA4023D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xAA402680]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xAA40253E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xAA40242E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xAA402764]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xAA40259C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xAA464658]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xAA4238C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xAA40096A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xAA423712]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAA46C9E6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xAA4226D0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xAA400030]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xAA400054]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xAA3FFE0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xAA3FFF48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xAA423E76]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xAA3FFF24]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xAA3FFF6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xAA400078]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAA4787A2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2C88 80503B48 4 Bytes [E8, FF, 3F, AA]
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A4F86 4 Bytes CALL AA40100F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BAF94 5 Bytes JMP AA47569C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C18CA 5 Bytes JMP AA47715C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFA64 7 Bytes JMP AA4787A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text win32k.sys!EngSetLastError + 757E BF8238B7 5 Bytes JMP AA402B9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 415A BF885EC6 5 Bytes JMP AA402F76 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 1899 BF8A5890 5 Bytes JMP AA402ABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 4033 BF8ADEF1 5 Bytes JMP AA402DE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 40BE BF8ADF7C 5 Bytes JMP AA402FBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 45FA BF8AE4B8 5 Bytes JMP AA402C0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + A168 BF8B4026 5 Bytes JMP AA402AD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngAlphaBlend + 3E8 BF8C35B4 5 Bytes JMP AA402CA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 2B41 BF8E1AEF 5 Bytes JMP AA402D14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 2DC1 BF8E1D6F 5 Bytes JMP AA402D4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + 3B5F BF8F2C27 5 Bytes JMP AA4029F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 1994 BF911381 5 Bytes JMP AA402B56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 2568 BF911F55 5 Bytes JMP AA402C6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4EC2 BF9148AF 5 Bytes JMP AA4030D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xA9ABEF00, 0x24000, 0x48000000]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 003A0A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 003A0804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 003A0600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003A01F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[144] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003A03FC
.text C:\WINDOWS\system32\spoolsv.exe[184] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\spoolsv.exe[184] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[184] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\spoolsv.exe[184] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\spoolsv.exe[184] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\spoolsv.exe[184] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[544] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\Explorer.EXE[544] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002C1014
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002C0804
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002C0A08
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002C0E10
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002C01F8
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002C03FC
.text C:\WINDOWS\Explorer.EXE[544] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002C0600
.text C:\WINDOWS\Explorer.EXE[544] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002D0A08
.text C:\WINDOWS\Explorer.EXE[544] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002D0804
.text C:\WINDOWS\Explorer.EXE[544] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002D0600
.text C:\WINDOWS\Explorer.EXE[544] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002D01F8
.text C:\WINDOWS\Explorer.EXE[544] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002D03FC
.text C:\WINDOWS\System32\smss.exe[784] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[884] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\hkcmd.exe[884] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[884] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\hkcmd.exe[884] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\hkcmd.exe[884] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\hkcmd.exe[884] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\igfxtray.exe[900] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\igfxtray.exe[900] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\igfxtray.exe[900] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\igfxtray.exe[900] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\igfxtray.exe[900] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\igfxtray.exe[900] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\igfxpers.exe[908] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\igfxpers.exe[908] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[908] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\igfxpers.exe[908] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\igfxpers.exe[908] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\igfxpers.exe[908] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\csrss.exe[912] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[912] KERNEL32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[936] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000701F8
.text C:\WINDOWS\system32\winlogon.exe[936] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[936] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000703FC
.text C:\WINDOWS\system32\winlogon.exe[936] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\winlogon.exe[936] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\winlogon.exe[936] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[980] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\services.exe[980] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\services.exe[980] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\services.exe[980] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\services.exe[980] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\services.exe[980] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\services.exe[980] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\services.exe[980] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\lsass.exe[992] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\lsass.exe[992] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[992] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\lsass.exe[992] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\lsass.exe[992] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes
GMER log 2
JMP 002C0600
.text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\Documents and Settings\Chris Wright\Desktop\q90eu4v7.exe[1084] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Documents and Settings\Chris Wright\Desktop\q90eu4v7.exe[1084] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 004E0A08
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 004E0804
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 004E0600
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 004E01F8
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 004E03FC
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 004F1014
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 004F0804
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 004F0A08
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 004F0C0C
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 004F0E10
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 004F01F8
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 004F03FC
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 004F0600
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 003B1014
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 003B0804
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 003B0A08
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 003B0C0C
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 003B0E10
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003B01F8
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003B03FC
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 003B0600
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 003C0A08
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 003C0804
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 003C0600
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003C01F8
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003C03FC
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[1192] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[1192] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
.text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\igfxext.exe[1572] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\igfxext.exe[1572] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\igfxext.exe[1572] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\igfxext.exe[1572] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1796] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1796] kernel32.dll!SetUnhandledExceptionFilter 7C8447B5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1796] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 003A0A08
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 003A0804
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 003A0600
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003A01F8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003A03FC
.text C:\WINDOWS\system32\wscntfy.exe[2784] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\wscntfy.exe[2784] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[2784] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\wscntfy.exe[2784] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002E0600
.text C:\WINDOWS\system32\wuauclt.exe[3488] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\wuauclt.exe[3488] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[3488] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\wuauclt.exe[3488] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002E0600
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[980] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005E0002
IAT C:\WINDOWS\system32\services.exe[980] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005E0000
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
---- EOF - GMER 1.0.15 ----
JMP 002C0600
.text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\lsass.exe[992] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\Documents and Settings\Chris Wright\Desktop\q90eu4v7.exe[1084] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Documents and Settings\Chris Wright\Desktop\q90eu4v7.exe[1084] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 004E0A08
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 004E0804
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 004E0600
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 004E01F8
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 004E03FC
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 004F1014
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 004F0804
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 004F0A08
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 004F0C0C
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 004F0E10
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 004F01F8
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 004F03FC
.text C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE[1156] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 004F0600
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1168] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 003B1014
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 003B0804
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 003B0A08
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 003B0C0C
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 003B0E10
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003B01F8
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003B03FC
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 003B0600
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 003C0A08
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 003C0804
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 003C0600
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003C01F8
.text C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe[1184] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003C03FC
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[1192] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[1192] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[1232] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1264] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[1264] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\svchost.exe[1264] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
.text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\System32\svchost.exe[1264] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[1412] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\igfxext.exe[1572] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\igfxext.exe[1572] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\igfxext.exe[1572] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\igfxext.exe[1572] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\igfxext.exe[1572] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\igfxext.exe[1572] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1796] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1796] kernel32.dll!SetUnhandledExceptionFilter 7C8447B5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1796] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 003A0A08
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 003A0804
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 003A0600
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 003A01F8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1828] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 003A03FC
.text C:\WINDOWS\system32\wscntfy.exe[2784] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\wscntfy.exe[2784] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[2784] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\wscntfy.exe[2784] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\wscntfy.exe[2784] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\wscntfy.exe[2784] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002E0600
.text C:\WINDOWS\system32\wuauclt.exe[3488] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\wuauclt.exe[3488] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[3488] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\wuauclt.exe[3488] kernel32.dll!GetBinaryTypeW + 80 7C867DCC 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!UnhookWindowsHookEx 77D4F22E 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!SetWindowsHookExW 77D53DEA 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!SetWindowsHookExA 77D611F1 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!SetWinEventHook 77D617D0 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\wuauclt.exe[3488] USER32.dll!UnhookWinEvent 77D61885 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\wuauclt.exe[3488] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002E0600
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\system32\services.exe[980] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005E0002
IAT C:\WINDOWS\system32\services.exe[980] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005E0000
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
---- EOF - GMER 1.0.15 ----
Broni
Posts: 56,041 +516
It's clean.
Let's try FSS again.
This is a new version so delete old one and download new one.
Please download Farbar Service Scanner and run it on the computer with the issue.
Let's try FSS again.
This is a new version so delete old one and download new one.
Please download Farbar Service Scanner and run it on the computer with the issue.
- Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Press "Scan".
- It will create a log (FSS.txt) in the same directory the tool is run.
- Please copy and paste the log to your reply.
Farbar Service Scanner
Ran by Chris Wright (administrator) on 21-12-2011 at 20:18:20
Microsoft Windows XP Professional Service Pack 2 (X86)
********************************************************
Internet Services:
=================
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Nsi Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open Nsi registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open Nsi registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open Nsi registry key. The service key does not exist.
Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.
Connection Status:
=================
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors
Windows Firewall:
================
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
Firewall Disabled Policy:
========================
System Restore:
==============
System Restore Disabled Policy:
==============================
File Check:
==========
C:\WINDOWS\system32\dhcpcsvc.dll
[2006-08-15 15:21] - [2006-08-15 15:21] - 0112128 ____A (Microsoft Corporation) 3F15A1DBD86F7BDAF404648282D11ECE
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\system32\Drivers\tcpip.sys
[2006-08-15 15:22] - [2006-08-15 15:22] - 0360576 ____A (Microsoft Corporation) B2220C618B42A2212A59D91EBD6FC4B4
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-03 16:56] - [2004-08-03 16:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D
C:\WINDOWS\system32\ipnathlp.dll
[2004-08-03 16:56] - [2004-08-03 16:56] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF
C:\WINDOWS\system32\netman.dll
[2006-08-15 15:21] - [2006-08-15 15:21] - 0197632 ____A (Microsoft Corporation) 3516D8A18B36784B1005B950B84232E1
C:\WINDOWS\system32\wbem\WMIsvc.dll
[2010-11-30 15:29] - [2004-08-03 16:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E
C:\WINDOWS\system32\srsvc.dll
[2010-11-30 15:31] - [2004-08-03 16:56] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838
C:\WINDOWS\system32\Drivers\sr.sys
[2010-11-30 15:31] - [2004-08-03 15:06] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24
C:\WINDOWS\system32\svchost.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\system32\rpcss.dll
[2006-08-15 15:21] - [2006-08-15 15:21] - 0398848 ____A (Microsoft Corporation) B4432F04B0507F332AA6232AB35A3233
C:\WINDOWS\system32\services.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4
**** End of log ****
Ran by Chris Wright (administrator) on 21-12-2011 at 20:18:20
Microsoft Windows XP Professional Service Pack 2 (X86)
********************************************************
Internet Services:
=================
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.
Nsi Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open Nsi registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open Nsi registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open Nsi registry key. The service key does not exist.
Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.
Connection Status:
=================
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors
Windows Firewall:
================
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
Firewall Disabled Policy:
========================
System Restore:
==============
System Restore Disabled Policy:
==============================
File Check:
==========
C:\WINDOWS\system32\dhcpcsvc.dll
[2006-08-15 15:21] - [2006-08-15 15:21] - 0112128 ____A (Microsoft Corporation) 3F15A1DBD86F7BDAF404648282D11ECE
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\system32\Drivers\tcpip.sys
[2006-08-15 15:22] - [2006-08-15 15:22] - 0360576 ____A (Microsoft Corporation) B2220C618B42A2212A59D91EBD6FC4B4
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-03 15:14] - [2004-08-03 15:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-03 16:56] - [2004-08-03 16:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D
C:\WINDOWS\system32\ipnathlp.dll
[2004-08-03 16:56] - [2004-08-03 16:56] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF
C:\WINDOWS\system32\netman.dll
[2006-08-15 15:21] - [2006-08-15 15:21] - 0197632 ____A (Microsoft Corporation) 3516D8A18B36784B1005B950B84232E1
C:\WINDOWS\system32\wbem\WMIsvc.dll
[2010-11-30 15:29] - [2004-08-03 16:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E
C:\WINDOWS\system32\srsvc.dll
[2010-11-30 15:31] - [2004-08-03 16:56] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838
C:\WINDOWS\system32\Drivers\sr.sys
[2010-11-30 15:31] - [2004-08-03 15:06] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24
C:\WINDOWS\system32\svchost.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\system32\rpcss.dll
[2006-08-15 15:21] - [2006-08-15 15:21] - 0398848 ____A (Microsoft Corporation) B4432F04B0507F332AA6232AB35A3233
C:\WINDOWS\system32\services.exe
[2004-08-03 16:56] - [2004-08-03 16:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4
**** End of log ****
Broni
Posts: 56,041 +516
On your laptop....
Go Start>Run, type in:
regedit
Click OK.
In Registry Editor navigate to:
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services
Click on "+" sign next to it to expand that key.
Scroll down to Nsi key.
Right click on it, click "Export".
Save the file to some known location as Nsi (.reg extension will be added automatically).
Using USB flash drive transfer the file to bad computer.
Right click on Nsi.reg file, click "Merge".
Allow registry merge.
Restart computer.
Post new FSS log.
P.S. Can you zip that file and attach it to your next reply?
It may help me while working on other computers.
Go Start>Run, type in:
regedit
Click OK.
In Registry Editor navigate to:
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services
Click on "+" sign next to it to expand that key.
Scroll down to Nsi key.
Right click on it, click "Export".
Save the file to some known location as Nsi (.reg extension will be added automatically).
Using USB flash drive transfer the file to bad computer.
Right click on Nsi.reg file, click "Merge".
Allow registry merge.
Restart computer.
Post new FSS log.
P.S. Can you zip that file and attach it to your next reply?
It may help me while working on other computers.
Latest posts
-
Logitech thinks the computer mouse needs an AI upgrade- Dimitrios replied
-
Lenovo is first to announce LPCAMM2 memory-equipped laptop- Shawn Knight replied
