Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Rootkit: hidden boot sector [Solved]


  • This topic is locked This topic is locked

#1
AliceK

AliceK

    Member

  • Member
  • PipPip
  • 33 posts
Hi
Avast antivirus has detected a "Rootkit: hidden boot sector" on my computer which I believe have been removed after a boot up scan.
Upon discovery of the rootkit, I ran Trend Micro RootkitBuster which detected many entries with "Zw" filenames.
Unfortunately, RootkitBuster can't fix any of the problems it listed.
No unusual behavior has been observed on the computer.


Could someone have a look at my OTL log please. Thanks very much.

---------------------------

OTL logfile created on: 3/20/2012 5:43:51 AM - Run 1
OTL by OldTimer - Version 3.2.39.1 Folder = C:\Documents and Settings\User\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.22 Gb Total Physical Memory | 2.64 Gb Available Physical Memory | 82.00% Memory free
3.78 Gb Paging File | 3.35 Gb Available in Paging File | 88.70% Paging File free
Paging file location(s): C:\pagefile.sys 742 742 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.06 Gb Total Space | 23.18 Gb Free Space | 59.34% Space Free | Partition Type: NTFS
Drive D: | 35.46 Gb Total Space | 35.38 Gb Free Space | 99.77% Space Free | Partition Type: NTFS

Computer Name: COMPUTER | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/03/20 05:43:22 | 000,594,432 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
PRC - [2012/03/14 11:14:20 | 000,180,912 | ---- | M] (PortableApps.com) -- C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe
PRC - [2012/03/13 12:39:08 | 000,016,824 | ---- | M] (Mozilla Corporation) -- C:\Documents and Settings\User\Desktop\FirefoxPortable\App\Firefox\plugin-container.exe
PRC - [2012/03/13 12:39:04 | 000,924,600 | ---- | M] (Mozilla Corporation) -- C:\Documents and Settings\User\Desktop\FirefoxPortable\App\Firefox\firefox.exe
PRC - [2011/11/29 02:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/11/29 02:01:23 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2010/12/22 21:21:38 | 000,088,688 | R--- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\KaraokeSer.exe
PRC - [2008/01/16 06:55:46 | 001,327,616 | ---- | M] (Nullsoft) -- C:\Program Files\Winamp\winamp.exe
PRC - [2006/09/21 16:36:18 | 000,053,248 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe
PRC - [2004/08/03 22:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2012/03/20 05:40:10 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Temp\nsj5.tmp\registry.dll
MOD - [2012/03/20 05:40:10 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Temp\nsj5.tmp\System.dll
MOD - [2012/03/20 05:40:10 | 000,008,704 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Temp\nsj5.tmp\newadvsplash.dll
MOD - [2012/03/20 04:44:08 | 001,744,896 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12031901\algo.dll
MOD - [2012/03/13 12:39:06 | 001,969,080 | ---- | M] () -- C:\Documents and Settings\User\Desktop\FirefoxPortable\App\Firefox\mozjs.dll
MOD - [2012/03/06 00:03:22 | 008,527,008 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2009/11/05 08:39:40 | 000,087,552 | ---- | M] () -- C:\WINDOWS\system32\cpwmon2k.dll
MOD - [2008/01/16 06:54:32 | 001,506,816 | ---- | M] () -- C:\Program Files\Winamp\Plugins\gen_ff.dll
MOD - [2008/01/16 06:52:58 | 000,025,088 | ---- | M] () -- C:\Program Files\Winamp\Plugins\gen_hotkeys.dll
MOD - [2008/01/16 06:52:54 | 000,165,376 | ---- | M] () -- C:\Program Files\Winamp\Plugins\gen_ml.dll
MOD - [2008/01/16 06:52:42 | 000,025,088 | ---- | M] () -- C:\Program Files\Winamp\Plugins\gen_tray.dll
MOD - [2008/01/16 06:52:40 | 000,107,008 | ---- | M] () -- C:\Program Files\Winamp\Plugins\in_cdda.dll
MOD - [2008/01/16 06:52:22 | 000,007,168 | ---- | M] () -- C:\Program Files\Winamp\Plugins\in_linein.dll
MOD - [2008/01/16 06:52:18 | 000,098,816 | ---- | M] () -- C:\Program Files\Winamp\Plugins\in_midi.dll
MOD - [2008/01/16 06:52:10 | 000,160,768 | ---- | M] () -- C:\Program Files\Winamp\Plugins\in_mod.dll
MOD - [2008/01/16 06:52:06 | 000,019,456 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_nowplaying.dll
MOD - [2008/01/16 06:51:58 | 000,019,968 | ---- | M] () -- C:\Program Files\Winamp\Plugins\in_flv.dll
MOD - [2008/01/16 06:51:52 | 000,406,528 | ---- | M] () -- C:\Program Files\Winamp\Plugins\in_mp3.dll
MOD - [2008/01/16 06:51:16 | 000,039,936 | ---- | M] () -- C:\Program Files\Winamp\Plugins\in_mp4.dll
MOD - [2008/01/16 06:51:04 | 000,171,520 | ---- | M] () -- C:\Program Files\Winamp\Plugins\in_nsv.dll
MOD - [2008/01/16 06:50:58 | 000,222,208 | ---- | M] () -- C:\Program Files\Winamp\Plugins\in_vorbis.dll
MOD - [2008/01/16 06:50:46 | 000,024,576 | ---- | M] () -- C:\Program Files\Winamp\System\dlmgr.w5s
MOD - [2008/01/16 06:50:42 | 000,026,112 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_autotag.dll
MOD - [2008/01/16 06:50:38 | 000,057,856 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_plg.dll
MOD - [2008/01/16 06:50:26 | 000,184,832 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_wire.dll
MOD - [2008/01/16 06:50:06 | 000,047,104 | ---- | M] () -- C:\Program Files\Winamp\Plugins\out_ds.dll
MOD - [2008/01/16 06:50:04 | 000,018,432 | ---- | M] () -- C:\Program Files\Winamp\Plugins\out_wave.dll
MOD - [2008/01/16 06:49:52 | 000,073,728 | ---- | M] () -- C:\Program Files\Winamp\Plugins\in_dshow.dll
MOD - [2008/01/16 06:49:44 | 000,026,624 | ---- | M] () -- C:\Program Files\Winamp\System\jnetlib.w5s
MOD - [2008/01/16 06:49:32 | 000,365,056 | ---- | M] () -- C:\Program Files\Winamp\System\aacPlusDecoder.w5s
MOD - [2008/01/16 06:49:24 | 000,297,472 | ---- | M] () -- C:\Program Files\Winamp\Plugins\in_wm.dll
MOD - [2008/01/16 06:48:52 | 000,019,456 | ---- | M] () -- C:\Program Files\Winamp\Plugins\out_disk.dll
MOD - [2008/01/16 06:48:50 | 000,012,288 | ---- | M] () -- C:\Program Files\Winamp\System\gracenote.w5s
MOD - [2008/01/16 06:48:46 | 000,013,824 | ---- | M] () -- C:\Program Files\Winamp\Plugins\in_wave.dll
MOD - [2008/01/16 06:48:42 | 000,018,944 | ---- | M] () -- C:\Program Files\Winamp\System\tagz.w5s
MOD - [2008/01/16 06:48:36 | 000,199,168 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_pmp.dll
MOD - [2008/01/16 06:48:14 | 000,212,480 | ---- | M] () -- C:\Program Files\Winamp\Plugins\pmp_ipod.dll
MOD - [2008/01/16 06:48:00 | 000,017,920 | ---- | M] () -- C:\Program Files\Winamp\Plugins\pmp_njb.dll
MOD - [2008/01/16 06:47:56 | 000,114,176 | ---- | M] () -- C:\Program Files\Winamp\Plugins\pmp_p4s.dll
MOD - [2008/01/16 06:47:50 | 000,098,304 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_online.dll
MOD - [2008/01/16 06:47:34 | 000,087,040 | ---- | M] () -- C:\Program Files\Winamp\System\xml.w5s
MOD - [2008/01/16 06:47:28 | 000,094,208 | ---- | M] () -- C:\Program Files\Winamp\System\png.w5s
MOD - [2008/01/16 06:47:20 | 000,019,968 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_bookmarks.dll
MOD - [2008/01/16 06:47:16 | 000,141,824 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_disc.dll
MOD - [2008/01/16 06:47:02 | 000,037,376 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_history.dll
MOD - [2008/01/16 06:46:54 | 000,270,336 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_local.dll
MOD - [2008/01/16 06:46:44 | 000,368,640 | ---- | M] () -- C:\Program Files\Winamp\Plugins\freeform\wacs\freetype\freetype.wac
MOD - [2008/01/16 06:46:40 | 000,070,144 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_playlists.dll
MOD - [2008/01/16 06:46:34 | 000,035,840 | ---- | M] () -- C:\Program Files\Winamp\System\playlist.w5s
MOD - [2008/01/16 06:46:20 | 000,072,704 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_orb.dll
MOD - [2008/01/16 06:46:10 | 000,017,408 | ---- | M] () -- C:\Program Files\Winamp\System\gif.w5s
MOD - [2008/01/16 06:46:08 | 000,011,776 | ---- | M] () -- C:\Program Files\Winamp\System\filereader.w5s
MOD - [2008/01/16 06:46:04 | 000,040,448 | ---- | M] () -- C:\Program Files\Winamp\Plugins\pmp_usb.dll
MOD - [2008/01/16 06:45:54 | 000,025,600 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_rg.dll
MOD - [2008/01/16 06:45:50 | 000,040,960 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_dash.dll
MOD - [2008/01/16 06:45:38 | 000,100,864 | ---- | M] () -- C:\Program Files\Winamp\System\jpeg.w5s
MOD - [2008/01/16 06:45:30 | 000,007,168 | ---- | M] () -- C:\Program Files\Winamp\System\bmp.w5s
MOD - [2008/01/16 06:45:12 | 000,037,376 | ---- | M] () -- C:\Program Files\Winamp\Plugins\in_flac.dll
MOD - [2008/01/16 06:44:52 | 000,027,136 | ---- | M] () -- C:\Program Files\Winamp\Plugins\ml_transcode.dll
MOD - [2008/01/16 06:44:48 | 000,064,000 | ---- | M] () -- C:\Program Files\Winamp\tataki.dll
MOD - [2008/01/16 06:44:40 | 000,201,728 | ---- | M] () -- C:\Program Files\Winamp\libsndfile.dll
MOD - [2008/01/16 06:44:24 | 000,088,576 | ---- | M] () -- C:\Program Files\Winamp\nde.dll
MOD - [2007/10/10 06:50:22 | 000,189,440 | ---- | M] () -- C:\Program Files\Winamp\Plugins\gen_jumpex.dll
MOD - [2004/08/03 22:56:44 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/11/29 02:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/12/22 21:21:38 | 000,088,688 | R--- | M] (VIA Technologies, Inc.) [Auto | Running] -- C:\WINDOWS\system32\KaraokeSer.exe -- (KaraokeService)
SRV - [2009/03/27 22:10:56 | 000,014,336 | ---- | M] (LSI Corporation) [Disabled | Stopped] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xpsec.sys -- (xpsec)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xcpip.sys -- (xcpip)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\User\LOCALS~1\Temp\mfe_rr.sys -- (MFE_RR)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\B.tmp -- (MEMSWEEP2)
DRV - [2012/02/18 16:06:23 | 000,017,488 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2011/11/29 01:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/11/29 01:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/11/29 01:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/11/29 01:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/11/29 01:52:02 | 000,111,320 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/11/29 01:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/11/29 01:48:49 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/03/22 15:58:42 | 000,065,136 | R--- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1c51x86.sys -- (L1c)
DRV - [2011/02/12 14:29:45 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/12/22 21:21:40 | 002,804,720 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\viahduaa.sys -- (VIAHdAudAddService)
DRV - [2009/08/13 15:07:12 | 001,163,328 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2009/08/05 22:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2007/06/27 14:42:00 | 000,207,488 | R--- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vinyl97.sys -- (VIAudio) Vinyl AC'97 Audio Controller (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,start page = http://google.com/
IE - HKCU\..\URLSearchHook: {51a86bb3-6602-4c85-92a5-130ee4864f13} - No CLSID value found
IE - HKCU\..\SearchScopes,DefaultScope = {CCC7A320-B3CA-4199-B1A6-9F516DD69829}
IE - HKCU\..\SearchScopes\{18EAB056-9057-F224-FD4C-1F6569C4D8D2}: "URL" = http://www.plusnetwo...ferrer:source?}
IE - HKCU\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://search.avg.co...{language}&nt=1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/...?FORM=IEFM1&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d9284e50-81fc-11da-a72b-0800200c9a66}:7.5.0
FF - prefs.js..keyword.URL: "http://search.avg.co...&tp=ab&nt=1&q="
FF - prefs.js..network.proxy.type: 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.50401.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2011/05/29 17:25:50 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/01 17:38:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/01 17:38:07 | 000,000,000 | ---D | M]

[2012/03/20 05:40:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2011/05/06 13:11:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions-BackupByFirefoxPortable
[2011/05/06 13:11:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions-BackupByFirefoxPortable\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2012/02/01 11:10:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8gdradj4.default\extensions
[2010/01/28 17:05:04 | 000,001,681 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8gdradj4.default\searchplugins\ask.uk.xml
[2009/12/07 08:13:15 | 000,002,171 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\8gdradj4.default\searchplugins\bing.xml
[2011/05/03 20:35:32 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/21 07:07:17 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/04/21 07:07:17 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/04/21 07:07:17 | 000,000,769 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/04/21 07:07:17 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/07/03 16:13:20 | 000,000,736 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {3AF255C7-8742-4B96-8971-1268EEE04974} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3F954663-A500-42AE-B82D-045EF17D587D}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B79022B6-AD74-4054-ABBF-681C349B3375}: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2009/05/30 11:07:12 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{3e2252da-5006-11de-97fa-0019219d0393}\Shell\AutoRun\command - "" = eman' s picture.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/20 05:43:12 | 000,594,432 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2012/03/17 18:49:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Sophos
[2012/03/17 18:49:14 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2012/03/15 21:31:41 | 000,014,664 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\stinger.sys
[2012/03/15 21:31:13 | 000,000,000 | ---D | C] -- C:\Program Files\stinger
[2012/03/15 21:27:06 | 000,205,072 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2012/03/15 20:54:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\Rootkit
[2012/03/15 20:53:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\FirefoxPortable
[2012/03/15 19:43:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\New Folder
[2012/02/23 15:46:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\perpermohonanpembiayaanptptn
[2012/02/21 21:23:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2012/02/21 21:23:44 | 000,314,456 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2012/02/21 21:23:44 | 000,020,568 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/02/21 21:23:43 | 000,052,952 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2012/02/21 21:23:43 | 000,034,392 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2012/02/21 21:23:42 | 000,435,032 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/02/21 21:23:42 | 000,111,320 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2012/02/21 21:23:41 | 000,105,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2012/02/21 21:23:41 | 000,030,808 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2012/02/21 21:22:34 | 000,199,816 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2012/02/21 21:22:34 | 000,041,184 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2012/02/21 21:22:22 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/02/21 21:22:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/20 05:43:22 | 000,594,432 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\Desktop\OTL.exe
[2012/03/20 05:29:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/03/17 18:00:00 | 000,014,664 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\stinger.sys
[2012/03/15 21:27:03 | 000,205,072 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2012/03/15 20:55:06 | 000,000,623 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Shortcut to FirefoxPortable.lnk
[2012/03/15 19:41:00 | 003,983,743 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Bondan Prakoso & Fade 2 Black - Ya Sudahlah.mp3
[2012/03/07 18:12:06 | 000,168,195 | ---- | M] () -- C:\Documents and Settings\User\Desktop\preliminary analysis.jpg
[2012/03/06 18:51:15 | 000,850,002 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Tute 3 p1.JPG
[2012/03/02 15:51:07 | 000,779,290 | ---- | M] () -- C:\Documents and Settings\User\Desktop\1.jpg
[2012/02/27 18:18:31 | 004,162,499 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Coldplay - Paradise.mp3
[2012/02/25 20:12:58 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/21 21:23:42 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/02/20 19:09:56 | 000,070,656 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/15 20:55:06 | 000,000,623 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Shortcut to FirefoxPortable.lnk
[2012/03/07 18:11:35 | 000,168,195 | ---- | C] () -- C:\Documents and Settings\User\Desktop\preliminary analysis.jpg
[2012/03/06 18:51:15 | 000,850,002 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Tute 3 p1.JPG
[2012/03/02 15:50:36 | 000,779,290 | ---- | C] () -- C:\Documents and Settings\User\Desktop\1.jpg
[2012/02/25 10:07:07 | 000,038,470 | ---- | C] () -- C:\WINDOWS\System32\hidserv.afm
[2012/02/18 15:19:03 | 000,004,096 | R--- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
[2012/02/18 15:19:03 | 000,000,151 | R--- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
[2012/02/18 15:19:02 | 000,982,224 | R--- | C] () -- C:\WINDOWS\System32\igkrng500.bin
[2012/02/18 15:19:02 | 000,439,336 | R--- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin
[2012/02/18 15:17:28 | 000,254,000 | R--- | C] ( ) -- C:\WINDOWS\System32\Audio3D.dll
[2012/02/18 15:17:28 | 000,254,000 | R--- | C] ( ) -- C:\WINDOWS\System32\A3D.dll
[2012/02/18 15:06:16 | 000,207,400 | R--- | C] () -- C:\WINDOWS\GSetup.exe
[2012/02/18 15:06:16 | 000,000,010 | ---- | C] () -- C:\WINDOWS\GSetup.ini
[2012/01/19 00:50:03 | 000,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2010/12/08 17:28:45 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2010/08/15 20:31:34 | 000,000,130 | ---- | C] () -- C:\WINDOWS\cfplogvw.INI
[2010/07/18 16:19:52 | 000,192,512 | ---- | C] () -- C:\WINDOWS\off-road-uninst.exe

========== LOP Check ==========

[2010/10/05 21:17:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\A-PDF
[2012/02/21 21:22:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2012/02/21 21:19:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2009/05/30 12:17:24 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2011/02/03 10:10:35 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/01/12 20:09:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2012/02/21 21:17:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2009/12/26 13:23:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/12/17 09:56:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RegistryCleanerFlash
[2011/06/01 05:56:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2011/02/03 16:01:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/05/29 16:02:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Canon
[2010/11/14 11:42:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\GetRightToGo
[2011/11/25 06:47:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\IsolatedStorage
[2011/03/01 10:37:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Online Games Downloader
[2011/08/01 13:41:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Opera
[2010/12/13 14:45:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Pointstone
[2010/12/17 09:56:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\RegistryCleanerFlash
[2011/04/09 07:48:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\ScanSoft
[2009/07/20 18:08:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Skinux
[2012/02/20 18:55:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Splashtop
[2010/12/17 09:27:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Uniblue
[2010/12/13 08:30:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Wildfire

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >

Edited by AliceK, 19 March 2012 - 04:06 PM.

  • 0

Advertisements


#2
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello AliceK and welcome to my office here at G2G! :)

My nick is maliprog and I'll be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

Download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Check the boxes beside:

    • Verify Driver Digital Signature
    • Detect TDLFS file system
  • then click OK.
  • Click the Start Scan button to start the scan.
  • If a suspicious object is detected, the default action will be Skip
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected for malicious objects

    Posted Image
  • Click Continue then Reboot now to finish the cleaning process.
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Step 2

Download aswMBR.exe ( 511KB ) to your desktop.

  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post aswMBR.txt in your next reply
  • Also, ZIP MBR.dat it creates and attach it to your next reply
Step 3

Download GMER from Here. Note the file's name and save it to your root folder, such as C:.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Step 4

Please don't forget to include these items in your reply:

  • TDSSKiller log
  • aswMBR log
  • GMER log
It would be helpful if you could post each log in separate post
  • 0

#3
AliceK

AliceK

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
maliprog,thanks for helping.
Attached:
TDSSKiller log
aswMBR log + MBR.dat in .zip file
GMER log




02:44:39.0390 1296 TDSS rootkit removing tool 2.7.22.0 Mar 21 2012 17:40:00
02:44:39.0406 1296 ============================================================
02:44:39.0406 1296 Current date / time: 2012/03/24 02:44:39.0406
02:44:39.0406 1296 SystemInfo:
02:44:39.0406 1296
02:44:39.0406 1296 OS Version: 5.1.2600 ServicePack: 2.0
02:44:39.0406 1296 Product type: Workstation
02:44:39.0406 1296 ComputerName: COMPUTER
02:44:39.0406 1296 UserName: User
02:44:39.0406 1296 Windows directory: C:\WINDOWS
02:44:39.0406 1296 System windows directory: C:\WINDOWS
02:44:39.0406 1296 Processor architecture: Intel x86
02:44:39.0406 1296 Number of processors: 2
02:44:39.0406 1296 Page size: 0x1000
02:44:39.0406 1296 Boot type: Normal boot
02:44:39.0406 1296 ============================================================
02:44:40.0359 1296 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
02:44:40.0359 1296 \Device\Harddisk0\DR0:
02:44:40.0359 1296 MBR used
02:44:40.0359 1296 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4E1EDEC
02:44:40.0375 1296 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x4E1EE6A, BlocksNum 0x46EB796
02:44:40.0421 1296 Initialize success
02:44:40.0421 1296 ============================================================
02:45:59.0171 1280 ============================================================
02:45:59.0171 1280 Scan started
02:45:59.0171 1280 Mode: Manual; SigCheck; TDLFS;
02:45:59.0171 1280 ============================================================
02:45:59.0406 1280 Aavmker4 (b6de0336f9f4b687b4ff57939f7b657a) C:\WINDOWS\system32\drivers\Aavmker4.sys
02:45:59.0484 1280 Aavmker4 - ok
02:45:59.0578 1280 Abiosdsk - ok
02:45:59.0671 1280 abp480n5 - ok
02:45:59.0765 1280 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
02:46:00.0453 1280 ACPI - ok
02:46:00.0578 1280 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
02:46:00.0750 1280 ACPIEC - ok
02:46:00.0843 1280 adpu160m - ok
02:46:00.0937 1280 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
02:46:01.0093 1280 aec - ok
02:46:01.0218 1280 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
02:46:01.0343 1280 AFD - ok
02:46:01.0406 1280 AgereModemAudio (6416f9b6b220f0a890525c38235afad7) C:\Program Files\LSI SoftModem\agrsmsvc.exe
02:46:01.0421 1280 AgereModemAudio - ok
02:46:01.0578 1280 AgereSoftModem (7560f465f1ce69c53bf17559ee195548) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
02:46:01.0687 1280 AgereSoftModem - ok
02:46:01.0796 1280 Aha154x - ok
02:46:01.0906 1280 aic78u2 - ok
02:46:01.0968 1280 aic78xx - ok
02:46:02.0046 1280 Alerter (c7ae0fd3867db0d42b03b73c18f3d671) C:\WINDOWS\system32\alrsvc.dll
02:46:02.0171 1280 Alerter - ok
02:46:02.0265 1280 ALG (f1958fbf86d5c004cf19a5951a9514b7) C:\WINDOWS\System32\alg.exe
02:46:02.0328 1280 ALG - ok
02:46:02.0421 1280 AliIde - ok
02:46:02.0515 1280 amsint - ok
02:46:02.0625 1280 AppMgmt (9c3c12975c97119412802b181fbeeffe) C:\WINDOWS\System32\appmgmts.dll
02:46:02.0703 1280 AppMgmt - ok
02:46:02.0796 1280 asc - ok
02:46:02.0859 1280 asc3350p - ok
02:46:02.0953 1280 asc3550 - ok
02:46:03.0015 1280 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
02:46:03.0078 1280 aspnet_state - ok
02:46:03.0203 1280 aswFsBlk (054df24c92b55427e0757cfff160e4f2) C:\WINDOWS\system32\drivers\aswFsBlk.sys
02:46:03.0218 1280 aswFsBlk - ok
02:46:03.0312 1280 aswMon2 (ef0e9ad83380724bd6fbbb51d2d0f5b8) C:\WINDOWS\system32\drivers\aswMon2.sys
02:46:03.0328 1280 aswMon2 - ok
02:46:03.0421 1280 aswRdr (352d5a48ebab35a7693b048679304831) C:\WINDOWS\system32\drivers\aswRdr.sys
02:46:03.0437 1280 aswRdr - ok
02:46:03.0562 1280 aswSnx (8d34d2b24297e27d93e847319abfdec4) C:\WINDOWS\system32\drivers\aswSnx.sys
02:46:03.0593 1280 aswSnx - ok
02:46:03.0718 1280 aswSP (010012597333da1f46c3243f33f8409e) C:\WINDOWS\system32\drivers\aswSP.sys
02:46:03.0734 1280 aswSP - ok
02:46:03.0843 1280 aswTdi (f9f84364416658e9786235904d448d37) C:\WINDOWS\system32\drivers\aswTdi.sys
02:46:03.0843 1280 aswTdi - ok
02:46:03.0953 1280 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
02:46:04.0062 1280 AsyncMac - ok
02:46:04.0187 1280 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
02:46:04.0312 1280 atapi - ok
02:46:04.0406 1280 Atdisk - ok
02:46:04.0515 1280 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
02:46:04.0640 1280 Atmarpc - ok
02:46:04.0750 1280 AudioSrv (db66db626e4882ebef55f136f12c1829) C:\WINDOWS\System32\audiosrv.dll
02:46:04.0875 1280 AudioSrv - ok
02:46:05.0000 1280 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
02:46:05.0109 1280 audstub - ok
02:46:05.0203 1280 avast! Antivirus (996e6d052438e8d8dfd501f31560b2e0) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
02:46:05.0218 1280 avast! Antivirus - ok
02:46:05.0343 1280 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
02:46:05.0453 1280 Beep - ok
02:46:05.0546 1280 BITS (2c69ec7e5a311334d10dd95f338fccea) C:\WINDOWS\system32\qmgr.dll
02:46:05.0750 1280 BITS - ok
02:46:05.0859 1280 Browser (e3cfccdda4edd1d0dc9168b2e18f27b8) C:\WINDOWS\System32\browser.dll
02:46:05.0968 1280 Browser - ok
02:46:06.0109 1280 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
02:46:06.0218 1280 cbidf2k - ok
02:46:06.0328 1280 cd20xrnt - ok
02:46:06.0421 1280 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
02:46:06.0562 1280 Cdfs - ok
02:46:06.0687 1280 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
02:46:06.0812 1280 Cdrom - ok
02:46:06.0890 1280 CiSvc (3192bd04d032a9c4a85a3278c268a13a) C:\WINDOWS\system32\cisvc.exe
02:46:07.0031 1280 CiSvc - ok
02:46:07.0125 1280 ClipSrv (c8dec22c4137d7a90f8bdf41ca4b82ae) C:\WINDOWS\system32\clipsrv.exe
02:46:07.0250 1280 ClipSrv - ok
02:46:07.0343 1280 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
02:46:07.0468 1280 clr_optimization_v2.0.50727_32 - ok
02:46:07.0578 1280 CmdIde - ok
02:46:07.0640 1280 COMSysApp - ok
02:46:07.0750 1280 Cpqarray - ok
02:46:07.0859 1280 CryptSvc (10654f9ddcea9c46cfb77554231be73b) C:\WINDOWS\System32\cryptsvc.dll
02:46:07.0984 1280 CryptSvc - ok
02:46:08.0078 1280 dac2w2k - ok
02:46:08.0156 1280 dac960nt - ok
02:46:08.0281 1280 DcomLaunch (5c83a4408604f737717ab96371201680) C:\WINDOWS\system32\rpcss.dll
02:46:08.0437 1280 DcomLaunch - ok
02:46:08.0531 1280 Dhcp (cb6ca3e5261d65f6f809eed23bf167aa) C:\WINDOWS\System32\dhcpcsvc.dll
02:46:08.0671 1280 Dhcp - ok
02:46:08.0765 1280 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
02:46:08.0890 1280 Disk - ok
02:46:08.0953 1280 dmadmin - ok
02:46:09.0078 1280 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
02:46:09.0250 1280 dmboot - ok
02:46:09.0375 1280 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
02:46:09.0500 1280 dmio - ok
02:46:09.0625 1280 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
02:46:09.0750 1280 dmload - ok
02:46:09.0843 1280 dmserver (1639d9964c9e1b2ecca95c8217d3e70d) C:\WINDOWS\System32\dmserver.dll
02:46:09.0968 1280 dmserver - ok
02:46:10.0093 1280 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
02:46:10.0203 1280 DMusic - ok
02:46:10.0312 1280 Dnscache (7379de06fd196e396a00aa97b990c00d) C:\WINDOWS\System32\dnsrslvr.dll
02:46:10.0437 1280 Dnscache - ok
02:46:10.0546 1280 dpti2o - ok
02:46:10.0671 1280 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
02:46:10.0796 1280 drmkaud - ok
02:46:10.0890 1280 ERSvc (67dff7bbbd0e80aab7b3cf061448db8a) C:\WINDOWS\System32\ersvc.dll
02:46:11.0031 1280 ERSvc - ok
02:46:11.0140 1280 Eventlog (c6ce6eec82f187615d1002bb3bb50ed4) C:\WINDOWS\system32\services.exe
02:46:11.0265 1280 Eventlog - ok
02:46:11.0375 1280 EventSystem (acd36a2dd7d1e9d8a060aa651dc07e63) C:\WINDOWS\system32\es.dll
02:46:11.0500 1280 EventSystem - ok
02:46:11.0593 1280 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
02:46:11.0718 1280 Fastfat - ok
02:46:11.0828 1280 FastUserSwitchingCompatibility (e7518dc542d3ebdcb80edd98462c7821) C:\WINDOWS\System32\shsvcs.dll
02:46:11.0953 1280 FastUserSwitchingCompatibility - ok
02:46:12.0093 1280 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
02:46:12.0203 1280 Fdc - ok
02:46:12.0328 1280 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
02:46:12.0453 1280 FETNDIS - ok
02:46:12.0578 1280 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
02:46:12.0718 1280 Fips - ok
02:46:12.0843 1280 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
02:46:12.0968 1280 Flpydisk - ok
02:46:13.0093 1280 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys
02:46:13.0203 1280 FltMgr - ok
02:46:13.0312 1280 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
02:46:13.0328 1280 FontCache3.0.0.0 - ok
02:46:13.0453 1280 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
02:46:13.0468 1280 fssfltr - ok
02:46:13.0625 1280 fsssvc (206ad9a89bf05dfa1621f1fc7b82592d) C:\Program Files\Windows Live\Family Safety\fsssvc.exe
02:46:13.0671 1280 fsssvc - ok
02:46:13.0812 1280 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
02:46:13.0921 1280 Fs_Rec - ok
02:46:14.0062 1280 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
02:46:14.0171 1280 Ftdisk - ok
02:46:14.0234 1280 gdrv (d556cb79967e92b5cc69686d16c1d846) C:\WINDOWS\gdrv.sys
02:46:14.0234 1280 gdrv - ok
02:46:14.0296 1280 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
02:46:14.0437 1280 Gpc - ok
02:46:14.0578 1280 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
02:46:14.0609 1280 HDAudBus - ok
02:46:14.0718 1280 helpsvc (8827911a8c37e40c027cbfc88e69d967) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
02:46:14.0859 1280 helpsvc - ok
02:46:14.0953 1280 HidServ (9376e6893e52b368abc6255bf54f0b28) C:\WINDOWS\System32\hidserv.dll
02:46:15.0078 1280 HidServ - ok
02:46:15.0218 1280 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
02:46:15.0328 1280 HidUsb - ok
02:46:15.0437 1280 hpn - ok
02:46:15.0562 1280 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
02:46:15.0687 1280 HTTP - ok
02:46:15.0781 1280 HTTPFilter (064d8581adf77c25133e7d751d917d83) C:\WINDOWS\System32\w3ssl.dll
02:46:15.0921 1280 HTTPFilter - ok
02:46:16.0015 1280 i2omp - ok
02:46:16.0109 1280 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
02:46:16.0234 1280 i8042prt - ok
02:46:16.0390 1280 ialm (0a50599e2afecc2142329bdd7a137463) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
02:46:16.0531 1280 ialm - ok
02:46:16.0656 1280 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
02:46:16.0750 1280 idsvc - ok
02:46:16.0875 1280 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
02:46:16.0984 1280 Imapi - ok
02:46:17.0078 1280 ImapiService (fa788520bcac0f5d9d5cde5615c0d931) C:\WINDOWS\system32\imapi.exe
02:46:17.0203 1280 ImapiService - ok
02:46:17.0281 1280 ini910u - ok
02:46:17.0390 1280 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
02:46:17.0500 1280 IntelIde - ok
02:46:17.0625 1280 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
02:46:17.0750 1280 intelppm - ok
02:46:17.0828 1280 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
02:46:17.0953 1280 ip6fw - ok
02:46:18.0078 1280 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
02:46:18.0203 1280 IpFilterDriver - ok
02:46:18.0343 1280 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
02:46:18.0453 1280 IpInIp - ok
02:46:18.0578 1280 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
02:46:18.0703 1280 IpNat - ok
02:46:18.0828 1280 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
02:46:18.0937 1280 IPSec - ok
02:46:19.0031 1280 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
02:46:19.0093 1280 IRENUM - ok
02:46:19.0187 1280 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
02:46:19.0312 1280 isapnp - ok
02:46:19.0390 1280 KaraokeService (4452125b061706f2c9934a460425aaca) C:\WINDOWS\system32\KaraokeSer.exe
02:46:19.0406 1280 KaraokeService - ok
02:46:19.0531 1280 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
02:46:19.0656 1280 Kbdclass - ok
02:46:19.0796 1280 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
02:46:19.0906 1280 kbdhid - ok
02:46:20.0046 1280 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
02:46:20.0156 1280 kmixer - ok
02:46:20.0281 1280 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
02:46:20.0390 1280 KSecDD - ok
02:46:20.0531 1280 L1c (0a2e5a1963708aee3bee39d17726d736) C:\WINDOWS\system32\DRIVERS\l1c51x86.sys
02:46:20.0546 1280 L1c - ok
02:46:20.0640 1280 lanmanserver (93d32468d34e000cb3407947d1d6e22a) C:\WINDOWS\System32\srvsvc.dll
02:46:20.0781 1280 lanmanserver - ok
02:46:20.0875 1280 lanmanworkstation (2c0a7b2ae9c26f2c163627679b42783c) C:\WINDOWS\System32\wkssvc.dll
02:46:21.0000 1280 lanmanworkstation - ok
02:46:21.0078 1280 LmHosts (b3eff6d938c572e90a07b3d87a3c7657) C:\WINDOWS\System32\lmhsvc.dll
02:46:21.0203 1280 LmHosts - ok
02:46:21.0265 1280 MEMSWEEP2 - ok
02:46:21.0359 1280 Messenger (95fd808e4ac22aba025a7b3eac0375d2) C:\WINDOWS\System32\msgsvc.dll
02:46:21.0500 1280 Messenger - ok
02:46:21.0562 1280 MFE_RR - ok
02:46:21.0656 1280 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
02:46:21.0765 1280 mnmdd - ok
02:46:21.0859 1280 mnmsrvc (f6415361201915b9fe3896b0e4e724ff) C:\WINDOWS\System32\mnmsrvc.exe
02:46:21.0984 1280 mnmsrvc - ok
02:46:22.0078 1280 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
02:46:22.0187 1280 Modem - ok
02:46:22.0281 1280 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
02:46:22.0390 1280 Mouclass - ok
02:46:22.0531 1280 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
02:46:22.0640 1280 mouhid - ok
02:46:22.0765 1280 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
02:46:22.0890 1280 MountMgr - ok
02:46:22.0984 1280 mraid35x - ok
02:46:23.0078 1280 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
02:46:23.0187 1280 MRxDAV - ok
02:46:23.0328 1280 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
02:46:23.0500 1280 MRxSmb - ok
02:46:23.0593 1280 MSDTC (c7c3d89eb0a6f3dba622ea737fa335b1) C:\WINDOWS\System32\msdtc.exe
02:46:23.0718 1280 MSDTC - ok
02:46:23.0859 1280 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
02:46:23.0968 1280 Msfs - ok
02:46:24.0031 1280 MSIServer - ok
02:46:24.0171 1280 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
02:46:24.0281 1280 MSKSSRV - ok
02:46:24.0390 1280 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
02:46:24.0515 1280 MSPCLOCK - ok
02:46:24.0609 1280 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
02:46:24.0718 1280 MSPQM - ok
02:46:24.0812 1280 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
02:46:24.0921 1280 mssmbios - ok
02:46:25.0062 1280 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
02:46:25.0171 1280 Mup - ok
02:46:25.0312 1280 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
02:46:25.0421 1280 NDIS - ok
02:46:25.0531 1280 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
02:46:25.0656 1280 NdisTapi - ok
02:46:25.0750 1280 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
02:46:25.0859 1280 Ndisuio - ok
02:46:25.0984 1280 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
02:46:26.0109 1280 NdisWan - ok
02:46:26.0203 1280 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
02:46:26.0312 1280 NDProxy - ok
02:46:26.0453 1280 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
02:46:26.0578 1280 NetBIOS - ok
02:46:26.0671 1280 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
02:46:26.0796 1280 NetBT - ok
02:46:26.0906 1280 NetDDE (05afb5ad06462257bea7495283c86d50) C:\WINDOWS\system32\netdde.exe
02:46:27.0062 1280 NetDDE - ok
02:46:27.0093 1280 NetDDEdsdm (05afb5ad06462257bea7495283c86d50) C:\WINDOWS\system32\netdde.exe
02:46:27.0218 1280 NetDDEdsdm - ok
02:46:27.0296 1280 Netlogon (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
02:46:27.0421 1280 Netlogon - ok
02:46:27.0515 1280 Netman (dab9e6c7105d2ef49876fe92c524f565) C:\WINDOWS\System32\netman.dll
02:46:27.0656 1280 Netman - ok
02:46:27.0750 1280 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
02:46:27.0765 1280 NetTcpPortSharing - ok
02:46:27.0859 1280 Nla (4e74af063c3271fbea20dd940cfd1184) C:\WINDOWS\System32\mswsock.dll
02:46:28.0000 1280 Nla - ok
02:46:28.0125 1280 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
02:46:28.0234 1280 Npfs - ok
02:46:28.0375 1280 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
02:46:28.0515 1280 Ntfs - ok
02:46:28.0625 1280 NtLmSsp (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
02:46:28.0734 1280 NtLmSsp - ok
02:46:28.0843 1280 NtmsSvc (b62f29c00ac55a761b2e45877d85ea0f) C:\WINDOWS\system32\ntmssvc.dll
02:46:28.0984 1280 NtmsSvc - ok
02:46:29.0109 1280 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
02:46:29.0218 1280 Null - ok
02:46:29.0359 1280 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
02:46:29.0484 1280 NwlnkFlt - ok
02:46:29.0609 1280 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
02:46:29.0718 1280 NwlnkFwd - ok
02:46:29.0812 1280 odserv (84de1dd996b48b05ace31ad015fa108a) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
02:46:29.0843 1280 odserv - ok
02:46:29.0921 1280 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
02:46:29.0937 1280 ose - ok
02:46:30.0078 1280 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
02:46:30.0187 1280 Parport - ok
02:46:30.0312 1280 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
02:46:30.0437 1280 PartMgr - ok
02:46:30.0562 1280 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
02:46:30.0687 1280 ParVdm - ok
02:46:30.0828 1280 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
02:46:30.0937 1280 PCI - ok
02:46:31.0062 1280 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
02:46:31.0187 1280 PCIIde - ok
02:46:31.0312 1280 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
02:46:31.0437 1280 Pcmcia - ok
02:46:31.0546 1280 perc2 - ok
02:46:31.0640 1280 perc2hib - ok
02:46:31.0750 1280 PlugPlay (c6ce6eec82f187615d1002bb3bb50ed4) C:\WINDOWS\system32\services.exe
02:46:31.0859 1280 PlugPlay - ok
02:46:31.0953 1280 PolicyAgent (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
02:46:32.0062 1280 PolicyAgent - ok
02:46:32.0156 1280 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
02:46:32.0265 1280 PptpMiniport - ok
02:46:32.0406 1280 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
02:46:32.0515 1280 Processor - ok
02:46:32.0609 1280 ProtectedStorage (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
02:46:32.0703 1280 ProtectedStorage - ok
02:46:32.0843 1280 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
02:46:32.0953 1280 PSched - ok
02:46:33.0046 1280 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
02:46:33.0156 1280 Ptilink - ok
02:46:33.0296 1280 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
02:46:33.0312 1280 PxHelp20 - ok
02:46:33.0406 1280 ql1080 - ok
02:46:33.0468 1280 Ql10wnt - ok
02:46:33.0515 1280 ql12160 - ok
02:46:33.0593 1280 ql1240 - ok
02:46:33.0671 1280 ql1280 - ok
02:46:33.0796 1280 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
02:46:33.0906 1280 RasAcd - ok
02:46:34.0015 1280 RasAuto (44db7a9bdd2fb58747d123fbf1d35adb) C:\WINDOWS\System32\rasauto.dll
02:46:34.0140 1280 RasAuto - ok
02:46:34.0265 1280 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
02:46:34.0390 1280 Rasl2tp - ok
02:46:34.0500 1280 RasMan (41a3c11e3517c962c9b44893bcec3b34) C:\WINDOWS\System32\rasmans.dll
02:46:34.0625 1280 RasMan - ok
02:46:34.0765 1280 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
02:46:34.0875 1280 RasPppoe - ok
02:46:34.0968 1280 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
02:46:35.0093 1280 Raspti - ok
02:46:35.0218 1280 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
02:46:35.0343 1280 Rdbss - ok
02:46:35.0468 1280 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
02:46:35.0593 1280 RDPCDD - ok
02:46:35.0734 1280 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
02:46:35.0859 1280 rdpdr - ok
02:46:35.0953 1280 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
02:46:36.0078 1280 RDPWD - ok
02:46:36.0171 1280 RDSessMgr (729798e0933076b8fcfcd9934698f164) C:\WINDOWS\system32\sessmgr.exe
02:46:36.0296 1280 RDSessMgr - ok
02:46:36.0390 1280 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
02:46:36.0500 1280 redbook - ok
02:46:36.0593 1280 RemoteAccess (3046db917e3cfa040632799dd9b14865) C:\WINDOWS\System32\mprdim.dll
02:46:36.0718 1280 RemoteAccess - ok
02:46:36.0812 1280 RemoteRegistry (3151427db7d87107d1c5be58fac53960) C:\WINDOWS\system32\regsvc.dll
02:46:36.0953 1280 RemoteRegistry - ok
02:46:37.0046 1280 RpcLocator (793f04a09b15e7c6c11dbdffaf06c0ab) C:\WINDOWS\system32\locator.exe
02:46:37.0187 1280 RpcLocator - ok
02:46:37.0296 1280 RpcSs (5c83a4408604f737717ab96371201680) C:\WINDOWS\system32\rpcss.dll
02:46:37.0437 1280 RpcSs - ok
02:46:37.0546 1280 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
02:46:37.0687 1280 RSVP - ok
02:46:37.0796 1280 SamSs (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
02:46:37.0890 1280 SamSs - ok
02:46:38.0000 1280 SCardSvr (25d8de134df108e3dbc8d7d23b1aa58e) C:\WINDOWS\System32\SCardSvr.exe
02:46:38.0140 1280 SCardSvr - ok
02:46:38.0218 1280 Schedule (92360854316611f6cc471612213c3d92) C:\WINDOWS\system32\schedsvc.dll
02:46:38.0343 1280 Schedule - ok
02:46:38.0437 1280 SeaPort (331e7bde228914574fc9ae6cd520dafa) C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
02:46:38.0468 1280 SeaPort - ok
02:46:38.0593 1280 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
02:46:38.0656 1280 Secdrv - ok
02:46:38.0750 1280 seclogon (b1e0ce09895376871746f36dc5773b4f) C:\WINDOWS\System32\seclogon.dll
02:46:38.0890 1280 seclogon - ok
02:46:38.0984 1280 SENS (dfd9870cf39c791d86c4c209da9fa919) C:\WINDOWS\system32\sens.dll
02:46:39.0109 1280 SENS - ok
02:46:39.0203 1280 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
02:46:39.0328 1280 serenum - ok
02:46:39.0453 1280 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
02:46:39.0578 1280 Serial - ok
02:46:39.0734 1280 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
02:46:39.0843 1280 Sfloppy - ok
02:46:39.0937 1280 SharedAccess (36cc8c01b5e50163037bef56cb96deff) C:\WINDOWS\System32\ipnathlp.dll
02:46:40.0078 1280 SharedAccess - ok
02:46:40.0187 1280 ShellHWDetection (e7518dc542d3ebdcb80edd98462c7821) C:\WINDOWS\System32\shsvcs.dll
02:46:40.0296 1280 ShellHWDetection - ok
02:46:40.0375 1280 Simbad - ok
02:46:40.0468 1280 Sparrow - ok
02:46:40.0593 1280 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
02:46:40.0703 1280 splitter - ok
02:46:40.0812 1280 Spooler (7435b108b935e42ea92ca94f59c8e717) C:\WINDOWS\system32\spoolsv.exe
02:46:40.0937 1280 Spooler - ok
02:46:41.0078 1280 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
02:46:41.0140 1280 sr - ok
02:46:41.0234 1280 srservice (92bdf74f12d6cbec43c94d4b7f804838) C:\WINDOWS\system32\srsvc.dll
02:46:41.0296 1280 srservice - ok
02:46:41.0406 1280 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
02:46:41.0531 1280 Srv - ok
02:46:41.0625 1280 SSDPSRV (4b8d61792f7175bed48859cc18ce4e38) C:\WINDOWS\System32\ssdpsrv.dll
02:46:41.0703 1280 SSDPSRV - ok
02:46:41.0796 1280 stisvc (d9f6c4f6b1e188adafc42b561d9bc2e6) C:\WINDOWS\system32\wiaservc.dll
02:46:41.0937 1280 stisvc - ok
02:46:42.0062 1280 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
02:46:42.0187 1280 swenum - ok
02:46:42.0281 1280 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
02:46:42.0390 1280 swmidi - ok
02:46:42.0453 1280 SwPrv - ok
02:46:42.0578 1280 symc810 - ok
02:46:42.0640 1280 symc8xx - ok
02:46:42.0765 1280 SymEvent (e03ee3ef1037099554d17bed99545a5e) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
02:46:42.0765 1280 SymEvent - ok
02:46:42.0875 1280 sym_hi - ok
02:46:42.0953 1280 sym_u3 - ok
02:46:43.0031 1280 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
02:46:43.0156 1280 sysaudio - ok
02:46:43.0250 1280 SysmonLog (8b54aa346d1b1b113ffaa75501b8b1b2) C:\WINDOWS\system32\smlogsvc.exe
02:46:43.0390 1280 SysmonLog - ok
02:46:43.0484 1280 TapiSrv (eb4a4187d74a8efdcbea3ea2cb1bdfbd) C:\WINDOWS\System32\tapisrv.dll
02:46:43.0609 1280 TapiSrv - ok
02:46:43.0703 1280 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
02:46:43.0828 1280 Tcpip - ok
02:46:43.0953 1280 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
02:46:44.0062 1280 TDPIPE - ok
02:46:44.0203 1280 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
02:46:44.0312 1280 TDTCP - ok
02:46:44.0437 1280 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
02:46:44.0562 1280 TermDD - ok
02:46:44.0671 1280 TermService (b60c877d16d9c880b952fda04adf16e6) C:\WINDOWS\System32\termsrv.dll
02:46:44.0812 1280 TermService - ok
02:46:44.0906 1280 Themes (e7518dc542d3ebdcb80edd98462c7821) C:\WINDOWS\System32\shsvcs.dll
02:46:45.0015 1280 Themes - ok
02:46:45.0109 1280 TlntSvr (37db0a7d097310e8b4de803fc3119c78) C:\WINDOWS\System32\tlntsvr.exe
02:46:45.0187 1280 TlntSvr - ok
02:46:45.0250 1280 TosIde - ok
02:46:45.0328 1280 TrkWks (6d9ac544b30f96c57f8206566c1fb6a1) C:\WINDOWS\system32\trkwks.dll
02:46:45.0453 1280 TrkWks - ok
02:46:45.0593 1280 uagp35 (49c805d42d75eddc9b6a7130999c9054) C:\WINDOWS\system32\DRIVERS\uagp35.sys
02:46:45.0687 1280 uagp35 - ok
02:46:45.0828 1280 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
02:46:45.0953 1280 Udfs - ok
02:46:46.0046 1280 ultra - ok
02:46:46.0156 1280 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
02:46:46.0281 1280 Update - ok
02:46:46.0375 1280 upnphost (0546477bde979e33294fe97f6b3de84a) C:\WINDOWS\System32\upnphost.dll
02:46:46.0437 1280 upnphost - ok
02:46:46.0515 1280 UPS (3f5df65b0758675f95a2d43918a740a3) C:\WINDOWS\System32\ups.exe
02:46:46.0656 1280 UPS - ok
02:46:46.0781 1280 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
02:46:46.0890 1280 usbccgp - ok
02:46:47.0015 1280 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
02:46:47.0140 1280 usbehci - ok
02:46:47.0265 1280 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
02:46:47.0390 1280 usbhub - ok
02:46:47.0515 1280 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
02:46:47.0625 1280 usbprint - ok
02:46:47.0718 1280 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
02:46:47.0828 1280 usbscan - ok
02:46:47.0968 1280 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
02:46:48.0078 1280 USBSTOR - ok
02:46:48.0203 1280 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
02:46:48.0312 1280 usbuhci - ok
02:46:48.0406 1280 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
02:46:48.0515 1280 VgaSave - ok
02:46:48.0656 1280 viagfx (b4f6751f2e0a247f722a6e79b6e1a9bd) C:\WINDOWS\system32\DRIVERS\vtmini.sys
02:46:48.0687 1280 viagfx ( UnsignedFile.Multi.Generic ) - warning
02:46:48.0687 1280 viagfx - detected UnsignedFile.Multi.Generic (1)
02:46:48.0843 1280 VIAHdAudAddService (76305e637fcb3d06975c70d0bde7c79d) C:\WINDOWS\system32\drivers\viahduaa.sys
02:46:48.0937 1280 VIAHdAudAddService - ok
02:46:49.0062 1280 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
02:46:49.0171 1280 ViaIde - ok
02:46:49.0312 1280 VIAudio (fece79a9aef62ad5f11a3f4a14f1dead) C:\WINDOWS\system32\drivers\vinyl97.sys
02:46:49.0375 1280 VIAudio - ok
02:46:49.0500 1280 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
02:46:49.0609 1280 VolSnap - ok
02:46:49.0718 1280 VSS (3ee00364ae0fd8d604f46cbaf512838a) C:\WINDOWS\System32\vssvc.exe
02:46:49.0796 1280 VSS - ok
02:46:49.0890 1280 W32Time (2b281958f5d0cf99ed626e3ef39d5c8d) C:\WINDOWS\system32\w32time.dll
02:46:50.0031 1280 W32Time - ok
02:46:50.0171 1280 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
02:46:50.0281 1280 Wanarp - ok
02:46:50.0406 1280 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
02:46:50.0515 1280 wdmaud - ok
02:46:50.0625 1280 WebClient (5d0a442864bfbf3b19dcca4cd29f6e99) C:\WINDOWS\System32\webclnt.dll
02:46:50.0750 1280 WebClient - ok
02:46:50.0890 1280 winmgmt (f399242a80c4066fd155efa4cf96658e) C:\WINDOWS\system32\wbem\WMIsvc.dll
02:46:51.0015 1280 winmgmt - ok
02:46:51.0125 1280 WmdmPmSN (c086483e3dba8c1c0a687ec8d5b3d4c1) C:\WINDOWS\system32\mspmsnsv.dll
02:46:51.0265 1280 WmdmPmSN - ok
02:46:51.0375 1280 Wmi (1aff244ca134956c54474f4e2433e4ce) C:\WINDOWS\System32\advapi32.dll
02:46:51.0500 1280 Wmi - ok
02:46:51.0625 1280 WmiApSrv (ba8cecc3e813e1f7c441b20393d4f86c) C:\WINDOWS\system32\wbem\wmiapsrv.exe
02:46:51.0765 1280 WmiApSrv - ok
02:46:51.0875 1280 wscsvc (4d59daa66c60858cdf4f67a900f42d4a) C:\WINDOWS\system32\wscsvc.dll
02:46:52.0000 1280 wscsvc - ok
02:46:52.0093 1280 wuauserv (13d72740963cba12d9ff76a7f218bcd8) C:\WINDOWS\system32\wuauserv.dll
02:46:52.0218 1280 wuauserv - ok
02:46:52.0328 1280 WZCSVC (5a91e6feab9f901302fa7ff768c0120f) C:\WINDOWS\System32\wzcsvc.dll
02:46:52.0468 1280 WZCSVC - ok
02:46:52.0546 1280 xcpip - ok
02:46:52.0609 1280 xmlprov (eef46dab68229a14da3d8e73c99e2959) C:\WINDOWS\System32\xmlprov.dll
02:46:52.0765 1280 xmlprov - ok
02:46:52.0859 1280 xpsec - ok
02:46:52.0890 1280 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
02:46:52.0921 1280 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - infected
02:46:52.0921 1280 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Sinowal.b (0)
02:46:53.0015 1280 Boot (0x1200) (b5f2fbb74261fa2e02d68dcfcfc18d37) \Device\Harddisk0\DR0\Partition0
02:46:53.0015 1280 \Device\Harddisk0\DR0\Partition0 - ok
02:46:53.0062 1280 Boot (0x1200) (aefe55bc848b47e8614315af33170ecc) \Device\Harddisk0\DR0\Partition1
02:46:53.0062 1280 \Device\Harddisk0\DR0\Partition1 - ok
02:46:53.0062 1280 ============================================================
02:46:53.0062 1280 Scan finished
02:46:53.0062 1280 ============================================================
02:46:53.0171 1236 Detected object count: 2
02:46:53.0171 1236 Actual detected object count: 2
02:51:00.0265 1236 viagfx ( UnsignedFile.Multi.Generic ) - skipped by user
02:51:00.0265 1236 viagfx ( UnsignedFile.Multi.Generic ) - User select action: Skip
02:51:00.0562 1236 \Device\Harddisk0\DR0\# - copied to quarantine
02:51:00.0562 1236 \Device\Harddisk0\DR0 - copied to quarantine
02:51:00.0593 1236 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - will be cured on reboot
02:51:00.0625 1236 \Device\Harddisk0\DR0 - ok
02:51:00.0625 1236 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - User select action: Cure
02:51:05.0359 2156 Deinitialize success
  • 0

#4
AliceK

AliceK

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Attached File  MBR.zip   512bytes   83 downloads
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-24 02:57:24
-----------------------------
02:57:24.734 OS Version: Windows 5.1.2600 Service Pack 2
02:57:24.734 Number of processors: 2 586 0x605
02:57:24.734 ComputerName: COMPUTER UserName: User
02:57:25.390 Initialize success
02:57:25.531 AVAST engine defs: 12032301
02:57:35.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-e
02:57:35.046 Disk 0 Vendor: MAXTOR_STM380211AS 3.AAE Size: 76319MB BusType: 3
02:57:35.062 Disk 0 MBR read successfully
02:57:35.078 Disk 0 MBR scan
02:57:35.078 Disk 0 Windows XP default MBR code
02:57:35.078 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 39997 MB offset 63
02:57:35.078 Disk 0 Partition - 00 0F Extended LBA 36310 MB offset 81915435
02:57:35.109 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 36310 MB offset 81915498
02:57:35.140 Disk 0 scanning sectors +156280320
02:57:35.171 Disk 0 malicious Win32:MBRoot code @ sector 156280323 !
02:57:35.234 Disk 0 scanning C:\WINDOWS\system32\drivers
02:57:48.890 Service scanning
02:58:21.562 Modules scanning
02:58:40.046 Disk 0 trace - called modules:
02:58:40.078 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
02:58:40.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae29ab8]
02:58:40.078 3 CLASSPNP.SYS[ba0e905b] -> nt!IofCallDriver -> \Device\00000069[0x8ae379e8]
02:58:40.093 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-e[0x8ae81940]
02:58:40.281 AVAST engine scan C:\WINDOWS
02:58:43.453 AVAST engine scan C:\WINDOWS\system32
03:01:15.515 AVAST engine scan C:\WINDOWS\system32\drivers
03:01:44.953 AVAST engine scan C:\Documents and Settings\User
03:17:02.906 AVAST engine scan C:\Documents and Settings\All Users
03:18:36.750 Scan finished successfully
03:27:14.484 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
03:27:14.500 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"

Edited by AliceK, 23 March 2012 - 04:39 PM.

  • 0

#5
AliceK

AliceK

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-24 06:17:45
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-e MAXTOR_STM380211AS rev.3.AAE
Running: okqd14y0.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\pgliqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA8AD7FC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA8B64510]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA8AFB6A9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA8ADA456]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA8ADA4AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA8ADA5C4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA8AFB05D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA8ADA3AC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA8ADA4FE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA8ADA400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA8ADA572]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA8AD7FE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA8AFBD6F]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA8AFC025]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA8ADA848]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA8AFBBDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA8AFBA45]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA8B645C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA8AD7DB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA8AD800C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA8ADA9BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA8AD8AA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA8ADA486]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA8ADA4D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA8ADA5EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA8AFB3B9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA8ADA3D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA8ADA680]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA8ADA53E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA8ADA42E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA8ADA764]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA8ADA59C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA8B64658]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA8AFB8C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA8AD896A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA8AFB712]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA8B6C9E6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA8AFA6D0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA8AD8030]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA8AD8054]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA8AD7E0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA8AD7F48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA8AFBE76]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA8AD7F24]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA8AD7F6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA8AD8078]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA8B787A2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C28 80503828 4 Bytes CALL C6F8E5AC
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A4ECC 4 Bytes CALL A8AD900F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BAEDA 5 Bytes JMP A8B7569C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C1810 5 Bytes JMP A8B7715C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CF966 7 Bytes JMP A8B787A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text win32k.sys!EngBitBlt + 92C BF827A40 5 Bytes JMP A8ADAB9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 112EA BF843888 5 Bytes JMP A8ADAAD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMulDiv + 5509 BF849B03 5 Bytes JMP A8ADACA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + 62A3 BF87FFC9 5 Bytes JMP A8ADADE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + 632C BF880052 5 Bytes JMP A8ADAFBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + 70B0 BF880DD6 5 Bytes JMP A8ADAABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!BRUSHOBJ_hGetColorTransform + AFDD BF89F83F 5 Bytes JMP A8ADAF76 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 4E4C BF8CEEE3 5 Bytes JMP A8ADA9F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + 77D BF8FAF04 5 Bytes JMP A8ADAC0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + 58C BF908B12 5 Bytes JMP A8ADAD14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + 80C BF908D92 5 Bytes JMP A8ADAD4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 1993 BF911AD9 5 Bytes JMP A8ADAB56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 2567 BF9126AD 5 Bytes JMP A8ADAC6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4EC1 BF915007 5 Bytes JMP A8ADB0D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
? C:\DOCUME~1\User\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[172] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[172] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[172] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[172] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[172] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[172] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[172] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[172] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[172] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\KaraokeSer.exe[448] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\KaraokeSer.exe[448] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\KaraokeSer.exe[448] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\KaraokeSer.exe[448] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\KaraokeSer.exe[448] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\KaraokeSer.exe[448] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\KaraokeSer.exe[448] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\KaraokeSer.exe[448] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\KaraokeSer.exe[448] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\KaraokeSer.exe[448] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\KaraokeSer.exe[448] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\KaraokeSer.exe[448] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\KaraokeSer.exe[448] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\KaraokeSer.exe[448] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\KaraokeSer.exe[448] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\KaraokeSer.exe[448] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\KaraokeSer.exe[448] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002C1014
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002C0804
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002C0A08
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002C0C0C
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002C0E10
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002C01F8
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002C03FC
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002C0600
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002D01F8
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002D03FC
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002D0804
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002D0A08
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[484] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[588] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[588] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[588] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[588] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[588] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\smss.exe[640] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[688] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[712] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000701F8
.text C:\WINDOWS\system32\winlogon.exe[712] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[712] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000703FC
.text C:\WINDOWS\system32\winlogon.exe[712] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\winlogon.exe[712] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\winlogon.exe[712] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\winlogon.exe[712] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\winlogon.exe[712] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\winlogon.exe[712] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\services.exe[756] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\services.exe[756] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[756] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\services.exe[756] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\services.exe[756] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\services.exe[756] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\services.exe[756] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\services.exe[756] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\lsass.exe[768] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\lsass.exe[768] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[768] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\lsass.exe[768] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\lsass.exe[768] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\lsass.exe[768] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\lsass.exe[768] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\lsass.exe[768] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\lsass.exe[768] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[928] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[928] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[928] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[928] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[928] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[996] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[996] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[996] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[996] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[996] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[996] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[996] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[996] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\System32\svchost.exe[1036] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\svchost.exe[1036] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\svchost.exe[1036] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\svchost.exe[1036] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\svchost.exe[1036] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1120] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1120] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1120] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1120] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[1120] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1120] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1276] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1276] kernel32.dll!SetUnhandledExceptionFilter 7C810386 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1276] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[1376] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\wscntfy.exe[1376] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[1376] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\wscntfy.exe[1376] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[1376] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\wscntfy.exe[1376] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\wscntfy.exe[1376] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\wscntfy.exe[1376] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\wscntfy.exe[1376] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\wscntfy.exe[1376] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002D1014
.text C:\WINDOWS\system32\wscntfy.exe[1376] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\wscntfy.exe[1376] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\wscntfy.exe[1376] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002D0C0C
.text C:\WINDOWS\system32\wscntfy.exe[1376] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002D0E10
.text C:\WINDOWS\system32\wscntfy.exe[1376] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\wscntfy.exe[1376] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\wscntfy.exe[1376] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002D0600
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\Explorer.EXE[1456] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1456] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\Explorer.EXE[1456] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\Explorer.EXE[1456] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\Explorer.EXE[1456] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\Explorer.EXE[1456] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\Explorer.EXE[1456] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\Explorer.EXE[1456] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\Explorer.EXE[1456] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\Explorer.EXE[1456] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\WINDOWS\Explorer.EXE[1456] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\WINDOWS\Explorer.EXE[1456] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\WINDOWS\Explorer.EXE[1456] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\WINDOWS\Explorer.EXE[1456] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\VTTimer.exe[1616] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\VTTimer.exe[1616] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\VTTimer.exe[1616] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\VTTimer.exe[1616] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\VTTimer.exe[1616] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003701F8
.text C:\WINDOWS\system32\VTTimer.exe[1616] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003703FC
.text C:\WINDOWS\system32\VTTimer.exe[1616] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00370804
.text C:\WINDOWS\system32\VTTimer.exe[1616] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00370A08
.text C:\WINDOWS\system32\VTTimer.exe[1616] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00370600
.text C:\WINDOWS\system32\VTTimer.exe[1616] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00381014
.text C:\WINDOWS\system32\VTTimer.exe[1616] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\VTTimer.exe[1616] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\VTTimer.exe[1616] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00380C0C
.text C:\WINDOWS\system32\VTTimer.exe[1616] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00380E10
.text C:\WINDOWS\system32\VTTimer.exe[1616] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\VTTimer.exe[1616] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\VTTimer.exe[1616] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\hkcmd.exe[1660] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\hkcmd.exe[1660] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[1660] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\hkcmd.exe[1660] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[1660] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\hkcmd.exe[1660] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\hkcmd.exe[1660] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\hkcmd.exe[1660] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\hkcmd.exe[1660] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\hkcmd.exe[1660] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 003A1014
.text C:\WINDOWS\system32\hkcmd.exe[1660] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 003A0804
.text C:\WINDOWS\system32\hkcmd.exe[1660] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 003A0A08
.text C:\WINDOWS\system32\hkcmd.exe[1660] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 003A0C0C
.text C:\WINDOWS\system32\hkcmd.exe[1660] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 003A0E10
.text C:\WINDOWS\system32\hkcmd.exe[1660] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003A01F8
.text C:\WINDOWS\system32\hkcmd.exe[1660] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003A03FC
.text C:\WINDOWS\system32\hkcmd.exe[1660] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 003A0600
.text C:\WINDOWS\system32\igfxpers.exe[1668] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\igfxpers.exe[1668] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[1668] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\igfxpers.exe[1668] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[1668] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\igfxpers.exe[1668] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\igfxpers.exe[1668] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\igfxpers.exe[1668] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\igfxpers.exe[1668] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\igfxpers.exe[1668] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\igfxpers.exe[1668] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\igfxpers.exe[1668] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\igfxpers.exe[1668] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\igfxpers.exe[1668] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\igfxpers.exe[1668] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\igfxpers.exe[1668] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\igfxpers.exe[1668] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[1676] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[1676] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1704] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\ctfmon.exe[1704] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1704] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\ctfmon.exe[1704] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1704] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\ctfmon.exe[1704] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\ctfmon.exe[1704] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\ctfmon.exe[1704] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\ctfmon.exe[1704] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\ctfmon.exe[1704] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\ctfmon.exe[1704] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\ctfmon.exe[1704] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\ctfmon.exe[1704] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\ctfmon.exe[1704] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\ctfmon.exe[1704] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\ctfmon.exe[1704] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\ctfmon.exe[1704] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\spoolsv.exe[1980] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\spoolsv.exe[1980] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1980] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\spoolsv.exe[1980] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1980] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\spoolsv.exe[1980] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\spoolsv.exe[1980] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\spoolsv.exe[1980] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\spoolsv.exe[1980] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\spoolsv.exe[1980] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\spoolsv.exe[1980] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\spoolsv.exe[1980] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\spoolsv.exe[1980] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\spoolsv.exe[1980] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\spoolsv.exe[1980] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\spoolsv.exe[1980] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\spoolsv.exe[1980] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\alg.exe[2196] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\alg.exe[2196] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[2196] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\alg.exe[2196] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[2196] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002A01F8
.text C:\WINDOWS\System32\alg.exe[2196] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002A03FC
.text C:\WINDOWS\System32\alg.exe[2196] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002A0804
.text C:\WINDOWS\System32\alg.exe[2196] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002A0A08
.text C:\WINDOWS\System32\alg.exe[2196] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002A0600
.text C:\WINDOWS\System32\alg.exe[2196] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\System32\alg.exe[2196] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\alg.exe[2196] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\alg.exe[2196] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\System32\alg.exe[2196] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\System32\alg.exe[2196] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\alg.exe[2196] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\alg.exe[2196] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003801F8
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003803FC
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00380804
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00380A08
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00380600
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\FirefoxPortable.exe[2700] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 01399720 C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\xul.dll (Mozilla Foundation)
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] kernel32.dll!VirtualAlloc 7C809A81 5 Bytes JMP 015CE21B C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\xul.dll (Mozilla Foundation)
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] kernel32.dll!MapViewOfFile 7C80B78D 5 Bytes JMP 015CE1F4 C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\xul.dll (Mozilla Foundation)
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] GDI32.dll!CreateDIBSection 77F19610 5 Bytes JMP 015CE17E C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\xul.dll (Mozilla Foundation)
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 02831014
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 02830804
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 02830A08
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 02830C0C
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 02830E10
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 028301F8
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 028303FC
.text C:\Documents and Settings\User\Desktop\FirefoxPortable\App\firefox\firefox.exe[2716] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 02830600
.text C:\Documents and Settings\User\Desktop\Rootkit\okqd14y0.exe[3504] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Documents and Settings\User\Desktop\Rootkit\okqd14y0.exe[3504] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005E0002
IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005E0000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 156280323

---- EOF - GMER 1.0.15 ----
  • 0

#6
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi AliceK,

All three tools confirmed infection. Let's try to remove it.

Step 1

  • Re-run aswMBR.exe
  • Click [Scan] button
  • Click the [Fix] button after the scan
  • Reboot you system after this

Step 2

Please do GMER scan one more time and post log after the scan

Step 3

Please don't forget to include these items in your reply:

  • aswMBR log
  • GMER log
It would be helpful if you could post each log in separate post
  • 0

#7
AliceK

AliceK

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-27 06:49:27
-----------------------------
06:49:27.468 OS Version: Windows 5.1.2600 Service Pack 2
06:49:27.468 Number of processors: 2 586 0x605
06:49:27.468 ComputerName: COMPUTER UserName: User
06:49:27.671 Initialize success
06:49:27.765 AVAST engine defs: 12032601
06:49:33.296 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"
06:49:50.515 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-e
06:49:50.515 Disk 0 Vendor: MAXTOR_STM380211AS 3.AAE Size: 76319MB BusType: 3
06:49:50.546 Disk 0 MBR read successfully
06:49:50.546 Disk 0 MBR scan
06:49:50.578 Disk 0 Windows XP default MBR code
06:49:50.593 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 39997 MB offset 63
06:49:50.609 Disk 0 Partition - 00 0F Extended LBA 36310 MB offset 81915435
06:49:50.656 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 36310 MB offset 81915498
06:49:50.687 Disk 0 scanning sectors +156280320
06:49:50.890 Disk 0 scanning C:\WINDOWS\system32\drivers
06:50:30.734 Service scanning
06:51:00.921 Modules scanning
06:51:58.484 Disk 0 trace - called modules:
06:51:58.609 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
06:51:58.609 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae75ab8]
06:51:58.609 3 CLASSPNP.SYS[ba0e905b] -> nt!IofCallDriver -> \Device\00000069[0x8ae7e9e8]
06:51:58.609 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-e[0x8ae7d940]
06:51:59.234 AVAST engine scan C:\WINDOWS
06:52:14.250 AVAST engine scan C:\WINDOWS\system32
06:58:22.593 AVAST engine scan C:\WINDOWS\system32\drivers
06:59:11.781 AVAST engine scan C:\Documents and Settings\User
07:15:45.531 AVAST engine scan C:\Documents and Settings\All Users
07:18:22.640 Scan finished successfully
07:20:48.578 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
07:20:48.593 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"
  • 0

#8
AliceK

AliceK

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-27 06:49:02
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-e MAXTOR_STM380211AS rev.3.AAE
Running: okqd14y0.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\pgliqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA90D2FC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA915F510]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA90F66A9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA90D5456]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA90D54AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA90D55C4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA90F605D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA90D53AC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA90D54FE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA90D5400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA90D5572]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA90D2FE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA90F6D6F]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA90F7025]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA90D5848]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA90F6BDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA90F6A45]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA915F5C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA90D2DB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA90D300C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA90D59BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA90D3AA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA90D5486]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA90D54D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA90D55EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA90F63B9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA90D53D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA90D5680]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA90D553E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA90D542E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA90D5764]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA90D559C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA915F658]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA90F68C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA90D396A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA90F6712]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA91679E6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA90F56D0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA90D3030]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA90D3054]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA90D2E0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA90D2F48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA90F6E76]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA90D2F24]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA90D2F6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA90D3078]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA91737A2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C28 80503828 4 Bytes CALL C6F9455C
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A4ECC 4 Bytes CALL A90D400F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BAEDA 5 Bytes JMP A917069C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C1810 5 Bytes JMP A917215C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CF966 7 Bytes JMP A91737A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text win32k.sys!EngBitBlt + 92C BF827A40 5 Bytes JMP A90D5B9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 112EA BF843888 5 Bytes JMP A90D5AD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMulDiv + 5509 BF849B03 5 Bytes JMP A90D5CA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + 62A3 BF87FFC9 5 Bytes JMP A90D5DE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + 632C BF880052 5 Bytes JMP A90D5FBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + 70B0 BF880DD6 5 Bytes JMP A90D5ABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!BRUSHOBJ_hGetColorTransform + AFDD BF89F83F 5 Bytes JMP A90D5F76 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 4E4C BF8CEEE3 5 Bytes JMP A90D59F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + 77D BF8FAF04 5 Bytes JMP A90D5C0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + 58C BF908B12 5 Bytes JMP A90D5D14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + 80C BF908D92 5 Bytes JMP A90D5D4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 1993 BF911AD9 5 Bytes JMP A90D5B56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 2567 BF9126AD 5 Bytes JMP A90D5C6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4EC1 BF915007 5 Bytes JMP A90D60D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[160] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[160] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[160] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[160] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[160] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[160] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[160] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[160] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[160] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[160] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[160] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[160] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[160] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[160] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[160] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[160] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[160] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\KaraokeSer.exe[444] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\KaraokeSer.exe[444] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\KaraokeSer.exe[444] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\KaraokeSer.exe[444] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\KaraokeSer.exe[444] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\KaraokeSer.exe[444] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\KaraokeSer.exe[444] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\KaraokeSer.exe[444] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\KaraokeSer.exe[444] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\KaraokeSer.exe[444] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\KaraokeSer.exe[444] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\KaraokeSer.exe[444] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\KaraokeSer.exe[444] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\KaraokeSer.exe[444] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\KaraokeSer.exe[444] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\KaraokeSer.exe[444] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\KaraokeSer.exe[444] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002C1014
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002C0804
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002C0A08
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002C0C0C
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002C0E10
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002C01F8
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002C03FC
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002C0600
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002D01F8
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002D03FC
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002D0804
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002D0A08
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[480] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[588] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[588] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[588] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[588] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[588] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[588] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[588] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[588] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\smss.exe[624] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[688] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[688] KERNEL32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[712] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000701F8
.text C:\WINDOWS\system32\winlogon.exe[712] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[712] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000703FC
.text C:\WINDOWS\system32\winlogon.exe[712] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\winlogon.exe[712] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\winlogon.exe[712] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\winlogon.exe[712] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\winlogon.exe[712] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\winlogon.exe[712] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\winlogon.exe[712] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\services.exe[756] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\services.exe[756] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[756] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\services.exe[756] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\services.exe[756] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\services.exe[756] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\services.exe[756] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\services.exe[756] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\lsass.exe[768] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\lsass.exe[768] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[768] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\lsass.exe[768] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\lsass.exe[768] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\lsass.exe[768] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\lsass.exe[768] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\lsass.exe[768] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\lsass.exe[768] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\lsass.exe[768] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[928] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[928] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[928] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[928] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[928] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[996] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[996] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[996] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[996] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[996] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[996] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[996] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[996] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1036] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[1036] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\System32\svchost.exe[1036] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\System32\svchost.exe[1036] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\svchost.exe[1036] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\svchost.exe[1036] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\svchost.exe[1036] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\svchost.exe[1036] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1116] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1116] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1116] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1280] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1280] kernel32.dll!SetUnhandledExceptionFilter 7C810386 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1280] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[1332] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\wscntfy.exe[1332] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[1332] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\wscntfy.exe[1332] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[1332] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\wscntfy.exe[1332] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\wscntfy.exe[1332] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\wscntfy.exe[1332] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\wscntfy.exe[1332] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\wscntfy.exe[1332] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002D1014
.text C:\WINDOWS\system32\wscntfy.exe[1332] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\wscntfy.exe[1332] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\wscntfy.exe[1332] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002D0C0C
.text C:\WINDOWS\system32\wscntfy.exe[1332] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002D0E10
.text C:\WINDOWS\system32\wscntfy.exe[1332] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\wscntfy.exe[1332] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\wscntfy.exe[1332] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002D0600
.text C:\WINDOWS\Explorer.EXE[1448] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\Explorer.EXE[1448] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1448] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\Explorer.EXE[1448] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1448] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\Explorer.EXE[1448] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\Explorer.EXE[1448] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\Explorer.EXE[1448] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\Explorer.EXE[1448] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\Explorer.EXE[1448] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\Explorer.EXE[1448] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\Explorer.EXE[1448] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\Explorer.EXE[1448] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\WINDOWS\Explorer.EXE[1448] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\WINDOWS\Explorer.EXE[1448] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\WINDOWS\Explorer.EXE[1448] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\WINDOWS\Explorer.EXE[1448] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\VTTimer.exe[1548] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\VTTimer.exe[1548] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\VTTimer.exe[1548] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\VTTimer.exe[1548] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\VTTimer.exe[1548] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003701F8
.text C:\WINDOWS\system32\VTTimer.exe[1548] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003703FC
.text C:\WINDOWS\system32\VTTimer.exe[1548] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00370804
.text C:\WINDOWS\system32\VTTimer.exe[1548] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00370A08
.text C:\WINDOWS\system32\VTTimer.exe[1548] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00370600
.text C:\WINDOWS\system32\VTTimer.exe[1548] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00381014
.text C:\WINDOWS\system32\VTTimer.exe[1548] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\VTTimer.exe[1548] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\VTTimer.exe[1548] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00380C0C
.text C:\WINDOWS\system32\VTTimer.exe[1548] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00380E10
.text C:\WINDOWS\system32\VTTimer.exe[1548] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\VTTimer.exe[1548] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\VTTimer.exe[1548] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\hkcmd.exe[1564] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\hkcmd.exe[1564] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[1564] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\hkcmd.exe[1564] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[1564] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\hkcmd.exe[1564] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\hkcmd.exe[1564] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\hkcmd.exe[1564] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\hkcmd.exe[1564] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\hkcmd.exe[1564] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 003A1014
.text C:\WINDOWS\system32\hkcmd.exe[1564] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 003A0804
.text C:\WINDOWS\system32\hkcmd.exe[1564] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 003A0A08
.text C:\WINDOWS\system32\hkcmd.exe[1564] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 003A0C0C
.text C:\WINDOWS\system32\hkcmd.exe[1564] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 003A0E10
.text C:\WINDOWS\system32\hkcmd.exe[1564] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003A01F8
.text C:\WINDOWS\system32\hkcmd.exe[1564] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003A03FC
.text C:\WINDOWS\system32\hkcmd.exe[1564] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 003A0600
.text C:\WINDOWS\system32\igfxpers.exe[1576] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001501F8
.text C:\WINDOWS\system32\igfxpers.exe[1576] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[1576] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 001503FC
.text C:\WINDOWS\system32\igfxpers.exe[1576] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[1576] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\igfxpers.exe[1576] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\igfxpers.exe[1576] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\igfxpers.exe[1576] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\igfxpers.exe[1576] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\igfxpers.exe[1576] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\igfxpers.exe[1576] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\igfxpers.exe[1576] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\igfxpers.exe[1576] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\igfxpers.exe[1576] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\igfxpers.exe[1576] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\igfxpers.exe[1576] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\igfxpers.exe[1576] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 00390600
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[1624] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[1624] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1648] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\ctfmon.exe[1648] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1648] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\ctfmon.exe[1648] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1648] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\ctfmon.exe[1648] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\ctfmon.exe[1648] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\ctfmon.exe[1648] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\ctfmon.exe[1648] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\ctfmon.exe[1648] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\ctfmon.exe[1648] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\ctfmon.exe[1648] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\ctfmon.exe[1648] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\ctfmon.exe[1648] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\ctfmon.exe[1648] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\ctfmon.exe[1648] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\ctfmon.exe[1648] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\spoolsv.exe[1992] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\spoolsv.exe[1992] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1992] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\spoolsv.exe[1992] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1992] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\spoolsv.exe[1992] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\spoolsv.exe[1992] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\spoolsv.exe[1992] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\spoolsv.exe[1992] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\spoolsv.exe[1992] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\spoolsv.exe[1992] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\spoolsv.exe[1992] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\spoolsv.exe[1992] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\spoolsv.exe[1992] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\spoolsv.exe[1992] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\spoolsv.exe[1992] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\spoolsv.exe[1992] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\alg.exe[2284] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\alg.exe[2284] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[2284] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\alg.exe[2284] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[2284] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002A01F8
.text C:\WINDOWS\System32\alg.exe[2284] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002A03FC
.text C:\WINDOWS\System32\alg.exe[2284] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002A0804
.text C:\WINDOWS\System32\alg.exe[2284] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002A0A08
.text C:\WINDOWS\System32\alg.exe[2284] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002A0600
.text C:\WINDOWS\System32\alg.exe[2284] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\System32\alg.exe[2284] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\alg.exe[2284] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\alg.exe[2284] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\System32\alg.exe[2284] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\System32\alg.exe[2284] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\alg.exe[2284] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\alg.exe[2284] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\wuauclt.exe[2416] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\wuauclt.exe[2416] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[2416] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\wuauclt.exe[2416] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[2416] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\wuauclt.exe[2416] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\wuauclt.exe[2416] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\wuauclt.exe[2416] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\wuauclt.exe[2416] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\wuauclt.exe[2416] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002D1014
.text C:\WINDOWS\system32\wuauclt.exe[2416] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\wuauclt.exe[2416] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\wuauclt.exe[2416] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002D0C0C
.text C:\WINDOWS\system32\wuauclt.exe[2416] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002D0E10
.text C:\WINDOWS\system32\wuauclt.exe[2416] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\wuauclt.exe[2416] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\wuauclt.exe[2416] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002D0600
.text C:\Documents and Settings\User\Desktop\Rootkit\okqd14y0.exe[2580] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Documents and Settings\User\Desktop\Rootkit\okqd14y0.exe[2580] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005E0002
IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005E0000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----
  • 0

#9
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi AliceK,

How is your system now? Any problems?


Download Virus Removal Tool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow Virus Removal Tool to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post
  • 0

#10
AliceK

AliceK

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Maliprog, Computer does not show any unusual behavior.
Virus Removal Tool detected 0 threats.
  • 0

#11
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Glad to hear that! Time for cleanup :)

Your logs and system are clean now. I'm glad we fix up your computer. We need to clean up your PC from programs we used.

Step 1

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end. Remove all other application we used to clean your PC.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Enable Windows Update
  • Click Start, click Run, type sysdm.cpl, and then press ENTER.
  • Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them option.
  • Click OK button

2. Delete Temp files

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

3. Make Backups of Important Files

Please read this article Home Computer Data Backup.


4. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.
  • 0

#12
AliceK

AliceK

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
All done.

Thanks very much for you assistance, maliprog.
This thread can be closed.
  • 0

#13
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP