BleepingComputer.com: Hijacker/Malware Virus?

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Hijacker/Malware Virus? Windows XP professional infected

#1 User is offline   nothinglink99 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 25-June 11

  Posted 25 June 2011 - 10:37 PM

I have been working on this issue with my computer for days. I have run downloaded and run multiple programs to try to self fix. The problem has gotten much better, however I know my computer is being used remotely still. Initially I had a notice for a Windows Xp analyzer of somesort, and all kinds of funny things were going on. This mustve come from a website of some sort. At one point Avast anti virus let me know that there was something up with the JAVA updater. I have tried using HIJACk this to disable the java updater/delete but it keeps coming back. Many pieces of malware have been deleted, however I am still having trouble and have become frustrated. I appreciate this forum. Thank you in advance for your help. I noticed it told me not to run combofix in the tutorial, but I already did that (downloaded through one of the forums blindly) and it didnt seem to do anything, in fact almost seemed to me as if it was installing more malware and (got a notice from NORTON which I had removed previously to install something and it was fake. Anyway I will post my logs from DDS and GMER. Thank you again. I hope I can get this straightened out. Oh, everything was hidden and much is able to see again, however it had setup for an administrator in safe mode w. password and user. I had my name before and never had a password. i am able to get into computer but all my favorite places and documents etc. are still nowehere to be found. The desktop pic I had has not returned. Thanks.
-Steve


DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by user at 22:58:20 on 2011-06-25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1380 [GMT -4:00]
.
AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton AntiVirus *Enabled/Updated* {B5510F6F-87E1-47F7-A411-360BC453007C}
FW: avast! Internet Security *Enabled*
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - HP Print Enhancer
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [IBM RecordNow!]
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 207.69.188.185 207.69.188.186 207.69.188.187
TCP: Interfaces\{9C3CA0AF-7E86-4AD2-9AD3-9A61DD3D0F07} : DhcpNameServer = 207.69.188.185 207.69.188.186 207.69.188.187
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\x8z4aone.default\
FF - plugin: c:\documents and settings\user\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\user\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2011-6-23 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2011-6-23 192984]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2003-1-5 64160]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2011-6-23 102232]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-23 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-23 307928]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\savrtpel.sys [2008-3-29 37000]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-23 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-23 42184]
R2 avast! Firewall;avast! Firewall;c:\program files\avast software\avast\afwServ.exe [2011-6-23 121000]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2003-11-10 255648]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2003-11-10 235168]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-5-23 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-5-23 22712]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2003-6-24 66784]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2003-11-10 87712]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1036104]
S3 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2003-11-24 158848]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110105.003\NAVENG.Sys [2004-6-22 86008]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110105.003\NavEx15.Sys [2004-6-22 1360760]
S3 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2008-3-29 305288]
S4 SAVScan;SAVScan;c:\program files\norton antivirus\SAVSCAN.EXE [2003-11-7 194272]
.
=============== Created Last 30 ================
.
2011-06-26 02:52:58 -------- d-s---w- C:\ComboFix
2011-06-23 18:28:52 102232 ----a-w- c:\windows\system32\drivers\aswFW.sys
2011-06-23 18:28:37 192984 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2011-06-23 18:28:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-23 18:28:03 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2011-06-23 18:28:02 40112 ----a-w- c:\windows\avastSS.scr
2011-06-23 18:27:36 -------- d-----w- c:\program files\AVAST Software
2011-06-23 18:27:36 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2011-06-23 17:35:44 -------- d-----w- c:\documents and settings\user\local settings\application data\Google
2011-06-23 02:38:14 -------- d-----w- C:\AVG10
2011-06-22 08:33:32 388096 ----a-r- c:\documents and settings\user\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-22 08:33:31 -------- d-----w- c:\program files\Trend Micro
2011-06-22 03:40:31 0 ----a-w- c:\windows\Isaxisu.bin
2011-06-22 03:40:20 -------- d-----w- c:\documents and settings\user\local settings\application data\{5FB0CF45-3DC9-441B-8924-B14FB27B23B6}
2011-06-20 03:54:44 105472 ------w- c:\windows\system32\dllcache\mup.sys
.
==================== Find3M ====================
.
2011-06-22 06:54:14 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 23:00:43.59 ===============


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++GMER::::::::::::::::::::::::::::::::::::::::::::::::



1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-25 23:36:29
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\symmpi1 IBM-ESXS rev.B85D
Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\kwroipow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA9F28202]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA9F8ECB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA9F4C6C1]
SSDT E1A723C0 ZwConnectPort
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA9F2A81C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA9F2A874]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA9F2A98A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA9F4C075]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA9F2A772]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA9F2A8C4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA9F2A7C6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA9F2A938]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA9F28226]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA9F4CD87]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA9F4D03D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA9F2AC0E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA9F4CBF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA9F4CA5D]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA9F8ED62]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA9F27FF0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA9F2824A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA9F2AD82]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA9F28CDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA9F2A84C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA9F2A89C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA9F2A9B4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA9F4C3D1]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA9F2A79E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA9F2AA46]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA9F2A904]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA9F2A7F4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA9F2AB2A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA9F2A962]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA9F8EDFA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA9F4C8D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA9F28BA0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA9F4C72A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA9F97E48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA9F4B6E8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA9F2826E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA9F28292]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA9F2804A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA9F28186]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA9F4CE8E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA9F28162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA9F281AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA9F282B6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA9FA4902]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 37C 804E29E8 4 Bytes CALL FCF81EA3
PAGE ntoskrnl.exe!ObInsertObject 805650BA 5 Bytes JMP A9FA1D5C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056BB08 4 Bytes CALL A9F29335 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058124C 7 Bytes JMP A9FA4906 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805A038B 5 Bytes JMP A9FA02BE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xAB4BD340, 0x130B5F, 0xF8000020]
.text win32k.sys!EngFreeUserMem + 674 BF809922 5 Bytes JMP A9F2BCCE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSurface + 45 BF813911 5 Bytes JMP A9F2BBDA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngSetLastError + 783B BF824157 5 Bytes JMP A9F2AF60 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + F9C BF828CE9 5 Bytes JMP A9F2BE38 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 2C50 BF8316DA 5 Bytes JMP A9F2C040 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + B8F2 BF83A37C 5 Bytes JMP A9F2BB4A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 5F35 BF857E69 5 Bytes JMP A9F2AFD0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 348C BF866FF4 5 Bytes JMP A9F2B1AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 3517 BF86707F 5 Bytes JMP A9F2B352 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 3F47 BF867AAF 5 Bytes JMP A9F2AE84 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + AAFC BF86E664 5 Bytes JMP A9F2BC04 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnicodeToMultiByteN + 2ED7 BF871F85 5 Bytes JMP A9F2BF9E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 411E BF88C9D8 5 Bytes JMP A9F2B32A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTextOut + 4149 BF8B0CBE 5 Bytes JMP A9F2AE9C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreatePalette + 2DBF BF8C26A3 5 Bytes JMP A9F2BD80 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 450 BF8C3048 5 Bytes JMP A9F2B06A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1517 BF8CB4AA 5 Bytes JMP A9F2B0DA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1797 BF8CB72A 5 Bytes JMP A9F2B114 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + 3B3E BF8ED1B7 5 Bytes JMP A9F2ADB8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 19B2 BF913F1F 5 Bytes JMP A9F2AF1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 2586 BF914AF3 5 Bytes JMP A9F2B034 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4EE5 BF917452 5 Bytes JMP A9F2B46C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 1924 BF945FB0 5 Bytes JMP A9F2BEF6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012380, 0x268611, 0xF8000020]
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B0804
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0A08
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B0600
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B01F8
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B03FC
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[252] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\WINDOWS\system32\svchost.exe[452] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[452] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[452] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[452] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[452] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[452] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[452] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[452] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[452] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[452] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[452] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[452] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[452] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[452] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[452] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[452] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[452] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\System32\smss.exe[612] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[696] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\spoolsv.exe[696] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[696] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\spoolsv.exe[696] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[696] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\spoolsv.exe[696] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\spoolsv.exe[696] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\spoolsv.exe[696] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\spoolsv.exe[696] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\spoolsv.exe[696] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\spoolsv.exe[696] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\spoolsv.exe[696] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
.text C:\WINDOWS\system32\spoolsv.exe[696] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
.text C:\WINDOWS\system32\spoolsv.exe[696] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
.text C:\WINDOWS\system32\spoolsv.exe[696] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
.text C:\WINDOWS\system32\spoolsv.exe[696] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
.text C:\WINDOWS\system32\spoolsv.exe[696] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
.text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[720] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[720] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[720] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[720] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[720] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[720] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[720] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[720] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B1014
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B0804
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0A08
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B0C0C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0E10
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B01F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B03FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B0600
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C0804
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0A08
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C0600
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C01F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[756] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C03FC
.text C:\WINDOWS\system32\csrss.exe[1004] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[1004] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1008] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F1000A
.text C:\WINDOWS\Explorer.EXE[1008] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F2000A
.text C:\WINDOWS\Explorer.EXE[1008] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E3000C
.text C:\WINDOWS\Explorer.EXE[1008] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00361014
.text C:\WINDOWS\Explorer.EXE[1008] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00360804
.text C:\WINDOWS\Explorer.EXE[1008] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360A08
.text C:\WINDOWS\Explorer.EXE[1008] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00360C0C
.text C:\WINDOWS\Explorer.EXE[1008] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360E10
.text C:\WINDOWS\Explorer.EXE[1008] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003601F8
.text C:\WINDOWS\Explorer.EXE[1008] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003603FC
.text C:\WINDOWS\Explorer.EXE[1008] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00360600
.text C:\WINDOWS\Explorer.EXE[1008] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00370804
.text C:\WINDOWS\Explorer.EXE[1008] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370A08
.text C:\WINDOWS\Explorer.EXE[1008] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00370600
.text C:\WINDOWS\Explorer.EXE[1008] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003701F8
.text C:\WINDOWS\Explorer.EXE[1008] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003703FC
.text C:\WINDOWS\system32\winlogon.exe[1028] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000701F8
.text C:\WINDOWS\system32\winlogon.exe[1028] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[1028] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000703FC
.text C:\WINDOWS\system32\winlogon.exe[1028] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[1028] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\winlogon.exe[1028] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\winlogon.exe[1028] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\winlogon.exe[1028] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\winlogon.exe[1028] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\winlogon.exe[1028] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\winlogon.exe[1028] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\winlogon.exe[1028] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
.text C:\WINDOWS\system32\winlogon.exe[1028] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
.text C:\WINDOWS\system32\winlogon.exe[1028] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
.text C:\WINDOWS\system32\winlogon.exe[1028] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
.text C:\WINDOWS\system32\winlogon.exe[1028] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
.text C:\WINDOWS\system32\winlogon.exe[1028] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
.text C:\WINDOWS\system32\services.exe[1076] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\services.exe[1076] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[1076] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\services.exe[1076] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\services.exe[1076] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
.text C:\WINDOWS\system32\services.exe[1076] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
.text C:\WINDOWS\system32\services.exe[1076] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
.text C:\WINDOWS\system32\services.exe[1076] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
.text C:\WINDOWS\system32\services.exe[1076] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
.text C:\WINDOWS\system32\services.exe[1076] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
.text C:\WINDOWS\system32\lsass.exe[1088] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\lsass.exe[1088] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[1088] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\lsass.exe[1088] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[1088] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\lsass.exe[1088] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\lsass.exe[1088] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\lsass.exe[1088] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\lsass.exe[1088] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\lsass.exe[1088] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\lsass.exe[1088] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\lsass.exe[1088] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
.text C:\WINDOWS\system32\lsass.exe[1088] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F0804
.text C:\WINDOWS\system32\lsass.exe[1088] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0A08
.text C:\WINDOWS\system32\lsass.exe[1088] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F0600
.text C:\WINDOWS\system32\lsass.exe[1088] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F01F8
.text C:\WINDOWS\system32\lsass.exe[1088] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F03FC
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B0804
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0A08
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B0600
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B01F8
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B03FC
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1336] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\WINDOWS\system32\svchost.exe[1404] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1404] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1404] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[1404] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[1404] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[1404] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[1404] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[1404] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00AC0804
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00AC0A08
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00AC0600
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00AC01F8
.text C:\DOCUME~1\user\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[1412] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 00AC03FC
.text C:\Program Files\AVAST Software\Avast\afwServ.exe[1668] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\afwServ.exe[1668] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[1692] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[1692] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1764] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1764] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1764] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1908] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1908] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1908] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1908] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[1908] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[1908] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[1908] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[1908] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[1908] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[1908] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\WINDOWS\System32\svchost.exe[2452] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[2452] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[2452] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[2452] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[2452] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\System32\svchost.exe[2452] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\System32\svchost.exe[2452] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\System32\svchost.exe[2452] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\System32\svchost.exe[2452] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\System32\svchost.exe[2452] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\System32\svchost.exe[2452] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\System32\svchost.exe[2452] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\System32\svchost.exe[2452] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\System32\svchost.exe[2452] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\System32\svchost.exe[2452] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\System32\svchost.exe[2452] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\System32\svchost.exe[2452] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 017E000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 017F000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 017D000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 007F1014
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 007F0804
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 007F0A08
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 007F0C0C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 007F0E10
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 007F01F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 007F03FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 007F0600
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00800804
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00800A08
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00800600
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 008001F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[2472] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 008003FC
.text C:\WINDOWS\system32\nvsvc32.exe[2528] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\nvsvc32.exe[2528] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\nvsvc32.exe[2528] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\nvsvc32.exe[2528] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\nvsvc32.exe[2528] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B0804
.text C:\WINDOWS\system32\nvsvc32.exe[2528] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0A08
.text C:\WINDOWS\system32\nvsvc32.exe[2528] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B0600
.text C:\WINDOWS\system32\nvsvc32.exe[2528] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B01F8
.text C:\WINDOWS\system32\nvsvc32.exe[2528] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B03FC
.text C:\WINDOWS\system32\nvsvc32.exe[2528] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text C:\WINDOWS\system32\nvsvc32.exe[2528] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\WINDOWS\system32\nvsvc32.exe[2528] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text C:\WINDOWS\system32\nvsvc32.exe[2528] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text C:\WINDOWS\system32\nvsvc32.exe[2528] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text C:\WINDOWS\system32\nvsvc32.exe[2528] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text C:\WINDOWS\system32\nvsvc32.exe[2528] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text C:\WINDOWS\system32\nvsvc32.exe[2528] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text C:\WINDOWS\system32\nvsvc32.exe[2528] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\WINDOWS\System32\svchost.exe[2556] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[2556] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[2556] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[2556] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[2556] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\System32\svchost.exe[2556] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\System32\svchost.exe[2556] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\System32\svchost.exe[2556] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\System32\svchost.exe[2556] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\System32\svchost.exe[2556] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\System32\svchost.exe[2556] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\System32\svchost.exe[2556] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\System32\svchost.exe[2556] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\System32\svchost.exe[2556] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\System32\svchost.exe[2556] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\System32\svchost.exe[2556] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\System32\svchost.exe[2556] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000D01F8
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000D03FC
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00341014
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00340804
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00340A08
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00340C0C
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00340E10
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003401F8
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003403FC
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00340600
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00350804
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00350A08
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00350600
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003501F8
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2756] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003503FC
.text C:\WINDOWS\system32\svchost.exe[2804] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[2804] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[2804] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[2804] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\system32\svchost.exe[2804] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\system32\svchost.exe[2804] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\system32\svchost.exe[2804] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\system32\svchost.exe[2804] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\system32\svchost.exe[2804] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\system32\svchost.exe[2804] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B0804
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0A08
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B0600
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B01F8
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B03FC
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[2892] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\WINDOWS\System32\alg.exe[3452] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\alg.exe[3452] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[3452] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\alg.exe[3452] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[3452] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002E0804
.text C:\WINDOWS\System32\alg.exe[3452] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002E0A08
.text C:\WINDOWS\System32\alg.exe[3452] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002E0600
.text C:\WINDOWS\System32\alg.exe[3452] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002E01F8
.text C:\WINDOWS\System32\alg.exe[3452] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002E03FC
.text C:\WINDOWS\System32\alg.exe[3452] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002F1014
.text C:\WINDOWS\System32\alg.exe[3452] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002F0804
.text C:\WINDOWS\System32\alg.exe[3452] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002F0A08
.text C:\WINDOWS\System32\alg.exe[3452] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002F0C0C
.text C:\WINDOWS\System32\alg.exe[3452] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002F0E10
.text C:\WINDOWS\System32\alg.exe[3452] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002F01F8
.text C:\WINDOWS\System32\alg.exe[3452] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002F03FC
.text C:\WINDOWS\System32\alg.exe[3452] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002F0600
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B1014
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B0804
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0A08
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B0C0C
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0E10
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B01F8
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B03FC
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B0600
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C0804
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0A08
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C0600
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C01F8
.text C:\Program Files\Microsoft Works\WksSb.exe[3508] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C03FC
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C0804
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0A08
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C0600
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C01F8
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C03FC
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D1014
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D0804
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0A08
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D0C0C
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0E10
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D01F8
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D03FC
.text C:\Program Files\IBM\Messages By IBM\ibmmessages.exe[3516] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D0600
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B0804
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0A08
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B0600
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B01F8
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B03FC
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[3556] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C1014
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C0804
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0A08
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C0C0C
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0E10
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C01F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C03FC
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C0600
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D0804
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0A08
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D0600
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D01F8
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3596] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D03FC
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[3608] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[3608] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003F1014
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003F0804
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003F0A08
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003F0C0C
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003F0E10
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003F01F8
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003F03FC
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003F0600
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00540804
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00540A08
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00540600
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 005401F8
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3628] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 005403FC
.text C:\WINDOWS\system32\ctfmon.exe[3900] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\ctfmon.exe[3900] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[3900] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\ctfmon.exe[3900] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[3900] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00361014
.text C:\WINDOWS\system32\ctfmon.exe[3900] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00360804
.text C:\WINDOWS\system32\ctfmon.exe[3900] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360A08
.text C:\WINDOWS\system32\ctfmon.exe[3900] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00360C0C
.text C:\WINDOWS\system32\ctfmon.exe[3900] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360E10
.text C:\WINDOWS\system32\ctfmon.exe[3900] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003601F8
.text C:\WINDOWS\system32\ctfmon.exe[3900] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003603FC
.text C:\WINDOWS\system32\ctfmon.exe[3900] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00360600
.text C:\WINDOWS\system32\ctfmon.exe[3900] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00370804
.text C:\WINDOWS\system32\ctfmon.exe[3900] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370A08
.text C:\WINDOWS\system32\ctfmon.exe[3900] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00370600
.text C:\WINDOWS\system32\ctfmon.exe[3900] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003701F8
.text C:\WINDOWS\system32\ctfmon.exe[3900] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003703FC
.text C:\WINDOWS\System32\svchost.exe[4068] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\System32\svchost.exe[4068] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\System32\svchost.exe[4068] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BB000C
.text C:\WINDOWS\System32\svchost.exe[4068] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00301014
.text C:\WINDOWS\System32\svchost.exe[4068] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00300804
.text C:\WINDOWS\System32\svchost.exe[4068] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300A08
.text C:\WINDOWS\System32\svchost.exe[4068] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00300C0C
.text C:\WINDOWS\System32\svchost.exe[4068] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300E10
.text C:\WINDOWS\System32\svchost.exe[4068] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003001F8
.text C:\WINDOWS\System32\svchost.exe[4068] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003003FC
.text C:\WINDOWS\System32\svchost.exe[4068] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00300600
.text C:\WINDOWS\System32\svchost.exe[4068] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00310804
.text C:\WINDOWS\System32\svchost.exe[4068] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310A08
.text C:\WINDOWS\System32\svchost.exe[4068] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00310600
.text C:\WINDOWS\System32\svchost.exe[4068] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003101F8
.text C:\WINDOWS\System32\svchost.exe[4068] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003103FC

---- Devices - GMER 1.0.15 ----

Device aswSP.SYS (avast! self protection module/AVAST Software)
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\symmpi -> DriverStartIo \Device\Scsi\symmpi1 8A4E431B
Device \Driver\symmpi -> DriverStartIo \Device\Scsi\symmpi2 8A4E431B
Device \Driver\symmpi -> DriverStartIo \Device\Scsi\symmpi1Port2Path0Target0Lun0 8A4E431B
Device \Driver\symmpi -> DriverStartIo \Device\Scsi\symmpi2Port3Path1Target0Lun0 8A4E431B
Device \Driver\symmpi -> DriverStartIo \Device\Scsi\symmpi1Port2Path1Target0Lun0 8A4E431B

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\LocalService\Cookies\system@dc.tremormedia[2].txt 0 bytes
File C:\Documents and Settings\LocalService\Cookies\system@scanscout[3].txt 0 bytes
File C:\Documents and Settings\LocalService\Cookies\system@scorecardresearch[4].txt 0 bytes
File C:\Documents and Settings\LocalService\Cookies\system@advertising[3].txt 0 bytes
File C:\Documents and Settings\LocalService\Cookies\system@exelator[3].txt 0 bytes

---- EOF - GMER 1.0.15 ----
Attached File  attach.txt (14.69K)
Number of downloads: 0

#2 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 08 July 2011 - 02:43 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK

    Do not re-enable these drivers until otherwise instructed.


Download DDS:

    Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt

    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply


Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

information and logs:

    In your next post I need the following

    • .logs from DDS
    • log from RKUnHooker
    • let me know of any problems you may have had


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#3 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 10 July 2011 - 11:10 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!


Gringo
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#4 User is offline   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,518
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 14 July 2011 - 02:43 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I will be online from 5-31 to 6-4 in a very limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users