Hi i got a computer hear which had a lot of virus' i have cleaned it with tdsskiller, mbam, and avast but im not finding any more virus at all but it seems all my registry is screwed up, i managed to use a registry file to get the firewall to stay on but cant do anything with the updates or the defender, also the punkbuster client wont run on the computer(the original problem lol) i have followed the 5 steps and hear are the logs thanks and i look forward to hearing from you
mbam
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2012.01.08.04
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
tommyg :: TOMMYG-PC [administrator]
09/01/2012 01:13:54
mbam-log-2012-01-09 (01-13-54).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200521
Time elapsed: 6 minute(s), 13 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-----------------------------------------------------------------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-08 22:38:16
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HDT725032VLA380 rev.V54OA73A
Running: mqhqwwfn.exe; Driver: C:\Users\tommyg\AppData\Local\Temp\fwdiipoc.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xCE423FC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xCB582510]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xCE426456]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xCE4264AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xCE4265C4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xCE4263AC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xCE4264FE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xCE426400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xCE426572]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xCE423FE8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xCB5825C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xCE423DB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xCE42400C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xCE4269BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xCE424AA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xCE426486]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xCE4264D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xCE4265EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xCE4263D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xCE42653E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xCE42642E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xCE42659C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xCB582658]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xCE42496A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xCE424030]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xCE424054]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xCE423E0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xCE423F48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xCE423F24]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xCE423F6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xCE424078]
INT 0x52 ? C3B4BCD8
INT 0x62 ? C2E53058
INT 0x72 ? C3B4BA58
INT 0x82 ? C3C78A58
INT 0x90 ? C3C782D8
INT 0x92 ? C2E532D8
INT 0xA2 ? C2E537D8
INT 0xB1 ? C2E53CD8
INT 0xB2 ? C2E53558
INT 0xB3 ? C3B4B7D8
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xCB5967A2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKey + 13D1 E1E5B369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 E1E94D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10CB E1E9BD80 4 Bytes [C4, 3F, 42, CE] {LES EDI, DWORD [EDI]; INC EDX; INTO }
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 E1E9BDA8 4 Bytes [10, 25, 58, CB]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 E1E9BE5C 8 Bytes [56, 64, 42, CE, AE, 64, 42, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 E1E9BE68 4 Bytes [C4, 65, 42, CE] {LES ESP, DWORD [EBP+0x42]; INTO }
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF E1E9BE84 4 Bytes [AC, 63, 42, CE] {LODSB ; ARPL [EDX-0x32], AX}
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject E2028BE8 5 Bytes JMP CB59369C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 E20411D0 5 Bytes JMP CB595174 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 E2056317 4 Bytes CALL CE425025 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 E20700E9 4 Bytes CALL CE42503B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx E20F9F30 7 Bytes JMP CB5967A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0xD1E12000, 0x3BEEC5, 0xE8000020]
.text win32k.sys!EngFntCacheLookUp + 8B0E D47001E5 5 Bytes JMP CE426F90 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateRectRgn + 3819 D47142B2 5 Bytes JMP CE4270D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCTGetGammaTable + 4C63 D47354EF 5 Bytes JMP CE426B9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMapFontFileFD + 650 D4756385 5 Bytes JMP CE4269F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMapFontFileFD + 38FE D4759633 5 Bytes JMP CE426ABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMapFontFileFD + 39BC D47596F1 5 Bytes JMP CE426AD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngIsSemaphoreOwnedByCurrentThread + 1EF5 D475DD77 5 Bytes JMP CE426FBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 2AB5 D4767748 5 Bytes JMP CE426DE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + AC45 D476F8D8 5 Bytes JMP CE426C0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteClip + 480C D47C6C60 5 Bytes JMP CE426B56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngEqualRgn + 414D D47D4B97 5 Bytes JMP CE426D4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteRgn + 2198 D47F2B8F 5 Bytes JMP CE426D14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + 3457 D482C240 5 Bytes JMP CE426C6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + 968D D4832476 5 Bytes JMP CE426CA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE peauth.sys E9437E20 101 Bytes JMP DDFAE422
.text user32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes [E9, 0A, 5C, F5, 88] {JMP 0xffffffff88f55c0f}
.text user32.dll!UnhookWinEvent 772BB750 5 Bytes [E9, A7, 4C, F5, 88] {JMP 0xffffffff88f54cac}
.text user32.dll!SetWindowsHookExW 772BE30C 5 Bytes [E9, F3, 24, F5, 88] {JMP 0xffffffff88f524f8}
.text user32.dll!SetWinEventHook 772C24DC 5 Bytes [E9, 17, DD, F4, 88] {JMP 0xffffffff88f4dd1c}
.text user32.dll!SetWindowsHookExA 772E6D0C 5 Bytes [E9, EF, 98, F2, 88] {JMP 0xffffffff88f298f4}
.text kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\System32\spoolsv.exe[320] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\spoolsv.exe[320] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\spoolsv.exe[320] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[320] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00100A08
.text C:\Windows\System32\spoolsv.exe[320] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 001003FC
.text C:\Windows\System32\spoolsv.exe[320] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00100804
.text C:\Windows\System32\spoolsv.exe[320] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 001001F8
.text C:\Windows\System32\spoolsv.exe[320] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00100600
.text C:\Windows\system32\csrss.exe[408] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[420] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskhost.exe[420] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskhost.exe[420] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[420] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00070A08
.text C:\Windows\system32\taskhost.exe[420] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 000703FC
.text C:\Windows\system32\taskhost.exe[420] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00070804
.text C:\Windows\system32\taskhost.exe[420] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 000701F8
.text C:\Windows\system32\taskhost.exe[420] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00070600
.text C:\Windows\system32\wininit.exe[496] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000303FC
.text C:\Windows\system32\wininit.exe[496] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000301F8
.text C:\Windows\system32\wininit.exe[496] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\wininit.exe[496] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 000C0A08
.text C:\Windows\system32\wininit.exe[496] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 000C03FC
.text C:\Windows\system32\wininit.exe[496] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 000C0804
.text C:\Windows\system32\wininit.exe[496] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 000C01F8
.text C:\Windows\system32\wininit.exe[496] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 000C0600
.text C:\Windows\system32\csrss.exe[504] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\services.exe[544] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000A03FC
.text C:\Windows\system32\services.exe[544] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000A01F8
.text C:\Windows\system32\services.exe[544] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\lsass.exe[568] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsass.exe[568] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\lsass.exe[568] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\lsass.exe[568] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00210A08
.text C:\Windows\system32\lsass.exe[568] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 002103FC
.text C:\Windows\system32\lsass.exe[568] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00210804
.text C:\Windows\system32\lsass.exe[568] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 002101F8
.text C:\Windows\system32\lsass.exe[568] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00210600
.text C:\Windows\system32\lsm.exe[576] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000A03FC
.text C:\Windows\system32\lsm.exe[576] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000A01F8
.text C:\Windows\system32\lsm.exe[576] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[608] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000303FC
.text C:\Windows\system32\winlogon.exe[608] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000301F8
.text C:\Windows\system32\winlogon.exe[608] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[608] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 000C0A08
.text C:\Windows\system32\winlogon.exe[608] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 000C03FC
.text C:\Windows\system32\winlogon.exe[608] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 000C0804
.text C:\Windows\system32\winlogon.exe[608] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 000C01F8
.text C:\Windows\system32\winlogon.exe[608] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 000C0600
.text C:\Windows\system32\svchost.exe[732] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000A03FC
.text C:\Windows\system32\svchost.exe[732] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000A01F8
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[820] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[820] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[820] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\atiesrxx.exe[884] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 001603FC
.text C:\Windows\system32\atiesrxx.exe[884] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 001601F8
.text C:\Windows\system32\atiesrxx.exe[884] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\atiesrxx.exe[884] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 001F0A08
.text C:\Windows\system32\atiesrxx.exe[884] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 001F03FC
.text C:\Windows\system32\atiesrxx.exe[884] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 001F0804
.text C:\Windows\system32\atiesrxx.exe[884] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 001F01F8
.text C:\Windows\system32\atiesrxx.exe[884] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 001F0600
.text C:\Windows\System32\svchost.exe[944] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[944] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\System32\svchost.exe[944] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00140A08
.text C:\Windows\System32\svchost.exe[944] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 001403FC
.text C:\Windows\System32\svchost.exe[944] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00140804
.text C:\Windows\System32\svchost.exe[944] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 001401F8
.text C:\Windows\System32\svchost.exe[944] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00140600
.text C:\Windows\System32\svchost.exe[992] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[992] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\System32\svchost.exe[992] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00540A08
.text C:\Windows\System32\svchost.exe[992] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 005403FC
.text C:\Windows\System32\svchost.exe[992] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00540804
.text C:\Windows\System32\svchost.exe[992] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 005401F8
.text C:\Windows\System32\svchost.exe[992] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00540600
.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1036] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00770A08
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 007703FC
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00770804
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 007701F8
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00770600
.text C:\Windows\system32\svchost.exe[1204] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1204] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00350A08
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 003503FC
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00350804
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 003501F8
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00350600
.text C:\Windows\system32\atieclxx.exe[1240] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 001603FC
.text C:\Windows\system32\atieclxx.exe[1240] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 001601F8
.text C:\Windows\system32\atieclxx.exe[1240] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\atieclxx.exe[1240] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 001F0A08
.text C:\Windows\system32\atieclxx.exe[1240] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 001F03FC
.text C:\Windows\system32\atieclxx.exe[1240] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 001F0804
.text C:\Windows\system32\atieclxx.exe[1240] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 001F01F8
.text C:\Windows\system32\atieclxx.exe[1240] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 001F0600
.text C:\Windows\system32\svchost.exe[1376] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1376] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00590A08
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 005903FC
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00590804
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 005901F8
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00590600
.text C:\Windows\system32\svchost.exe[1484] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1484] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1484] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00530A08
.text C:\Windows\system32\svchost.exe[1484] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 005303FC
.text C:\Windows\system32\svchost.exe[1484] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00530804
.text C:\Windows\system32\svchost.exe[1484] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 005301F8
.text C:\Windows\system32\svchost.exe[1484] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00530600
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1540] kernel32.dll!SetUnhandledExceptionFilter 75F2F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1540] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1656] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1656] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 001603FC
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 001601F8
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 001F0A08
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 001F03FC
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 001F0804
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 001F01F8
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 001F0600
.text C:\Windows\system32\Dwm.exe[1832] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000A03FC
.text C:\Windows\system32\Dwm.exe[1832] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000A01F8
.text C:\Windows\system32\Dwm.exe[1832] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[1832] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00130A08
.text C:\Windows\system32\Dwm.exe[1832] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 001303FC
.text C:\Windows\system32\Dwm.exe[1832] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00130804
.text C:\Windows\system32\Dwm.exe[1832] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 001301F8
.text C:\Windows\system32\Dwm.exe[1832] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00130600
.text C:\Windows\Explorer.EXE[1856] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\Explorer.EXE[1856] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\Explorer.EXE[1856] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\Explorer.EXE[1856] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00150A08
.text C:\Windows\Explorer.EXE[1856]
mbam
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org
Database version: v2012.01.08.04
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
tommyg :: TOMMYG-PC [administrator]
09/01/2012 01:13:54
mbam-log-2012-01-09 (01-13-54).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200521
Time elapsed: 6 minute(s), 13 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-----------------------------------------------------------------------------------
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-08 22:38:16
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HDT725032VLA380 rev.V54OA73A
Running: mqhqwwfn.exe; Driver: C:\Users\tommyg\AppData\Local\Temp\fwdiipoc.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xCE423FC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xCB582510]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xCE426456]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xCE4264AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xCE4265C4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xCE4263AC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xCE4264FE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xCE426400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xCE426572]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xCE423FE8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xCB5825C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xCE423DB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xCE42400C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xCE4269BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xCE424AA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xCE426486]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xCE4264D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xCE4265EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xCE4263D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xCE42653E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xCE42642E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xCE42659C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xCB582658]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xCE42496A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xCE424030]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xCE424054]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xCE423E0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xCE423F48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xCE423F24]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xCE423F6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xCE424078]
INT 0x52 ? C3B4BCD8
INT 0x62 ? C2E53058
INT 0x72 ? C3B4BA58
INT 0x82 ? C3C78A58
INT 0x90 ? C3C782D8
INT 0x92 ? C2E532D8
INT 0xA2 ? C2E537D8
INT 0xB1 ? C2E53CD8
INT 0xB2 ? C2E53558
INT 0xB3 ? C3B4B7D8
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xCB5967A2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKey + 13D1 E1E5B369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 E1E94D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10CB E1E9BD80 4 Bytes [C4, 3F, 42, CE] {LES EDI, DWORD [EDI]; INC EDX; INTO }
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 E1E9BDA8 4 Bytes [10, 25, 58, CB]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 E1E9BE5C 8 Bytes [56, 64, 42, CE, AE, 64, 42, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 E1E9BE68 4 Bytes [C4, 65, 42, CE] {LES ESP, DWORD [EBP+0x42]; INTO }
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF E1E9BE84 4 Bytes [AC, 63, 42, CE] {LODSB ; ARPL [EDX-0x32], AX}
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject E2028BE8 5 Bytes JMP CB59369C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 E20411D0 5 Bytes JMP CB595174 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 E2056317 4 Bytes CALL CE425025 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 E20700E9 4 Bytes CALL CE42503B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx E20F9F30 7 Bytes JMP CB5967A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0xD1E12000, 0x3BEEC5, 0xE8000020]
.text win32k.sys!EngFntCacheLookUp + 8B0E D47001E5 5 Bytes JMP CE426F90 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateRectRgn + 3819 D47142B2 5 Bytes JMP CE4270D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCTGetGammaTable + 4C63 D47354EF 5 Bytes JMP CE426B9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMapFontFileFD + 650 D4756385 5 Bytes JMP CE4269F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMapFontFileFD + 38FE D4759633 5 Bytes JMP CE426ABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMapFontFileFD + 39BC D47596F1 5 Bytes JMP CE426AD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngIsSemaphoreOwnedByCurrentThread + 1EF5 D475DD77 5 Bytes JMP CE426FBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 2AB5 D4767748 5 Bytes JMP CE426DE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + AC45 D476F8D8 5 Bytes JMP CE426C0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteClip + 480C D47C6C60 5 Bytes JMP CE426B56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngEqualRgn + 414D D47D4B97 5 Bytes JMP CE426D4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteRgn + 2198 D47F2B8F 5 Bytes JMP CE426D14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + 3457 D482C240 5 Bytes JMP CE426C6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + 968D D4832476 5 Bytes JMP CE426CA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE peauth.sys E9437E20 101 Bytes JMP DDFAE422
.text user32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes [E9, 0A, 5C, F5, 88] {JMP 0xffffffff88f55c0f}
.text user32.dll!UnhookWinEvent 772BB750 5 Bytes [E9, A7, 4C, F5, 88] {JMP 0xffffffff88f54cac}
.text user32.dll!SetWindowsHookExW 772BE30C 5 Bytes [E9, F3, 24, F5, 88] {JMP 0xffffffff88f524f8}
.text user32.dll!SetWinEventHook 772C24DC 5 Bytes [E9, 17, DD, F4, 88] {JMP 0xffffffff88f4dd1c}
.text user32.dll!SetWindowsHookExA 772E6D0C 5 Bytes [E9, EF, 98, F2, 88] {JMP 0xffffffff88f298f4}
.text kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\System32\spoolsv.exe[320] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\spoolsv.exe[320] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\spoolsv.exe[320] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[320] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00100A08
.text C:\Windows\System32\spoolsv.exe[320] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 001003FC
.text C:\Windows\System32\spoolsv.exe[320] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00100804
.text C:\Windows\System32\spoolsv.exe[320] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 001001F8
.text C:\Windows\System32\spoolsv.exe[320] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00100600
.text C:\Windows\system32\csrss.exe[408] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[420] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskhost.exe[420] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskhost.exe[420] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[420] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00070A08
.text C:\Windows\system32\taskhost.exe[420] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 000703FC
.text C:\Windows\system32\taskhost.exe[420] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00070804
.text C:\Windows\system32\taskhost.exe[420] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 000701F8
.text C:\Windows\system32\taskhost.exe[420] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00070600
.text C:\Windows\system32\wininit.exe[496] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000303FC
.text C:\Windows\system32\wininit.exe[496] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000301F8
.text C:\Windows\system32\wininit.exe[496] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\wininit.exe[496] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 000C0A08
.text C:\Windows\system32\wininit.exe[496] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 000C03FC
.text C:\Windows\system32\wininit.exe[496] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 000C0804
.text C:\Windows\system32\wininit.exe[496] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 000C01F8
.text C:\Windows\system32\wininit.exe[496] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 000C0600
.text C:\Windows\system32\csrss.exe[504] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\services.exe[544] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000A03FC
.text C:\Windows\system32\services.exe[544] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000A01F8
.text C:\Windows\system32\services.exe[544] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\lsass.exe[568] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsass.exe[568] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\lsass.exe[568] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\lsass.exe[568] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00210A08
.text C:\Windows\system32\lsass.exe[568] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 002103FC
.text C:\Windows\system32\lsass.exe[568] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00210804
.text C:\Windows\system32\lsass.exe[568] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 002101F8
.text C:\Windows\system32\lsass.exe[568] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00210600
.text C:\Windows\system32\lsm.exe[576] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000A03FC
.text C:\Windows\system32\lsm.exe[576] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000A01F8
.text C:\Windows\system32\lsm.exe[576] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[608] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000303FC
.text C:\Windows\system32\winlogon.exe[608] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000301F8
.text C:\Windows\system32\winlogon.exe[608] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[608] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 000C0A08
.text C:\Windows\system32\winlogon.exe[608] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 000C03FC
.text C:\Windows\system32\winlogon.exe[608] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 000C0804
.text C:\Windows\system32\winlogon.exe[608] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 000C01F8
.text C:\Windows\system32\winlogon.exe[608] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 000C0600
.text C:\Windows\system32\svchost.exe[732] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000A03FC
.text C:\Windows\system32\svchost.exe[732] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000A01F8
.text C:\Windows\system32\svchost.exe[732] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[820] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[820] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[820] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\atiesrxx.exe[884] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 001603FC
.text C:\Windows\system32\atiesrxx.exe[884] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 001601F8
.text C:\Windows\system32\atiesrxx.exe[884] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\atiesrxx.exe[884] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 001F0A08
.text C:\Windows\system32\atiesrxx.exe[884] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 001F03FC
.text C:\Windows\system32\atiesrxx.exe[884] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 001F0804
.text C:\Windows\system32\atiesrxx.exe[884] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 001F01F8
.text C:\Windows\system32\atiesrxx.exe[884] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 001F0600
.text C:\Windows\System32\svchost.exe[944] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[944] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[944] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\System32\svchost.exe[944] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00140A08
.text C:\Windows\System32\svchost.exe[944] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 001403FC
.text C:\Windows\System32\svchost.exe[944] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00140804
.text C:\Windows\System32\svchost.exe[944] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 001401F8
.text C:\Windows\System32\svchost.exe[944] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00140600
.text C:\Windows\System32\svchost.exe[992] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[992] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[992] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\System32\svchost.exe[992] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00540A08
.text C:\Windows\System32\svchost.exe[992] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 005403FC
.text C:\Windows\System32\svchost.exe[992] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00540804
.text C:\Windows\System32\svchost.exe[992] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 005401F8
.text C:\Windows\System32\svchost.exe[992] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00540600
.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1036] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00770A08
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 007703FC
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00770804
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 007701F8
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00770600
.text C:\Windows\system32\svchost.exe[1204] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1204] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00350A08
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 003503FC
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00350804
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 003501F8
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00350600
.text C:\Windows\system32\atieclxx.exe[1240] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 001603FC
.text C:\Windows\system32\atieclxx.exe[1240] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 001601F8
.text C:\Windows\system32\atieclxx.exe[1240] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\atieclxx.exe[1240] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 001F0A08
.text C:\Windows\system32\atieclxx.exe[1240] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 001F03FC
.text C:\Windows\system32\atieclxx.exe[1240] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 001F0804
.text C:\Windows\system32\atieclxx.exe[1240] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 001F01F8
.text C:\Windows\system32\atieclxx.exe[1240] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 001F0600
.text C:\Windows\system32\svchost.exe[1376] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1376] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00590A08
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 005903FC
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00590804
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 005901F8
.text C:\Windows\system32\svchost.exe[1376] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00590600
.text C:\Windows\system32\svchost.exe[1484] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1484] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1484] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1484] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00530A08
.text C:\Windows\system32\svchost.exe[1484] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 005303FC
.text C:\Windows\system32\svchost.exe[1484] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00530804
.text C:\Windows\system32\svchost.exe[1484] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 005301F8
.text C:\Windows\system32\svchost.exe[1484] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00530600
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1540] kernel32.dll!SetUnhandledExceptionFilter 75F2F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1540] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1656] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1656] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 001603FC
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 001601F8
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 001F0A08
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 001F03FC
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 001F0804
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 001F01F8
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[1664] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 001F0600
.text C:\Windows\system32\Dwm.exe[1832] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000A03FC
.text C:\Windows\system32\Dwm.exe[1832] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000A01F8
.text C:\Windows\system32\Dwm.exe[1832] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[1832] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00130A08
.text C:\Windows\system32\Dwm.exe[1832] USER32.dll!UnhookWinEvent 772BB750 5 Bytes JMP 001303FC
.text C:\Windows\system32\Dwm.exe[1832] USER32.dll!SetWindowsHookExW 772BE30C 5 Bytes JMP 00130804
.text C:\Windows\system32\Dwm.exe[1832] USER32.dll!SetWinEventHook 772C24DC 5 Bytes JMP 001301F8
.text C:\Windows\system32\Dwm.exe[1832] USER32.dll!SetWindowsHookExA 772E6D0C 5 Bytes JMP 00130600
.text C:\Windows\Explorer.EXE[1856] ntdll.dll!LdrUnloadDll 773DC8DE 5 Bytes JMP 000603FC
.text C:\Windows\Explorer.EXE[1856] ntdll.dll!LdrLoadDll 773E22B8 5 Bytes JMP 000601F8
.text C:\Windows\Explorer.EXE[1856] kernel32.dll!GetBinaryTypeW + 70 75F469F4 1 Byte [62]
.text C:\Windows\Explorer.EXE[1856] USER32.dll!UnhookWindowsHookEx 772BADF9 5 Bytes JMP 00150A08
.text C:\Windows\Explorer.EXE[1856]