Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PRAGMA Rootkit (Win32/Rootkit.Kryptik.AZ trojan) TDSS Variant


  • This topic is locked This topic is locked
28 replies to this topic

#1 bstrange

bstrange

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 18 February 2011 - 01:38 PM

On Feb 14th, I posted about a rootkit that is on my system HERE in the 'Am I infected" section. It has been a very long time since I have been here, but I believe you used to have to post there first and only ended up here once someone started helping you, but I truely can't recall. Should I leave that where it is and wait for a reply there? or can that post be moved here? can the topics be merged? or should I repost my issue here and delete that post? I apologize that I am so out of touch with forum protocol here, but on the other hand, I don't want to waste anyone's time by posting in the wrong place and clogging up the wrong queue.

I do have a nasty version PRAGMA Rootkit (Win32/Rootkit.Kryptik.AZ trojan) TDSS Variant. All other infections have been removed, and I believe the bulk of the rootkit has been disabled. I *think* I just need to drop a custom script into ComboFix or Avenger2 to finish the removal; however, I am not sure because I haven't seen a piece of malware this resiliant in years.

The following scans have been run and their logs are saved and available for posting:

DDS
GMER
Rkill
Combofix
RootRepeal
HijackThis
MBAM
ESET Online Scan
FSecure Online Scan
SuperAntiSpyware
Avast Boot Scan
As well as a manually created record of all self deleted registry keys related to PRAGMA.

The bulk of the pertinent information (at least what I *think* is pertinent) is in the original thread linked above with the exception of the GMER info on the rootkit.
Please advise what I should do about this second post, I will gladly delete either post, I just want to be sure I am posting in the right spot and not taking somebody else's spot in the am I infected queue if I do not need to be there.

Thanks!

I am attaching logs in accordance with: http://www.bleepingcomputer.com/forums/topic34773.html


DDS (Ver_10-12-12.02) - NTFSx86
Run by Jack Gilmore at 9:17:23.17 on Fri 02/18/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1522 [GMT -5:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\USBStorage\USBDetector.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jack Gilmore\Desktop\PCPatrol.exe
C:\DOCUME~1\JACKGI~1\LOCALS~1\Temp\7zS4.tmp\winvnc.exe
C:\Documents and Settings\Jack Gilmore\Desktop\Redeployment\bleep2\bleep2\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Acrobat Speed Launch] "c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe"
mRun: [USBDetector] c:\usbstorage\USBDetector.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\csconn~1.lnk - c:\wincsi\tools\connectbgdl.exe
uPolicies-explorer: NoSMHelp = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-2-13 294608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-2-13 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-2-13 40384]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2011-2-11 10448]
S2 iconmgr;IconManager;c:\teac\iconmgr\iconmgr.exe --> c:\teac\iconmgr\iconmgr.exe [?]

=============== Created Last 30 ================

2011-02-16 15:29:33 -------- d-----w- c:\documents and settings\jack gilmore\DoctorWeb
2011-02-16 14:48:48 -------- d-----w- c:\docume~1\jackgi~1\applic~1\SUPERAntiSpyware.com
2011-02-16 14:48:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-02-16 14:48:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-16 14:44:59 -------- d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2011-02-16 14:44:56 -------- d-----w- c:\program files\Security Task Manager
2011-02-14 02:06:06 -------- d-----w- c:\program files\jv16 PowerTools 2009
2011-02-13 18:38:46 38848 ----a-w- c:\windows\avastSS.scr
2011-02-11 20:18:07 -------- d-----w- c:\docume~1\jackgi~1\applic~1\f-secure
2011-02-11 20:17:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2011-02-11 19:58:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-11 18:35:55 -------- d-sha-r- C:\cmdcons
2011-02-11 18:35:05 98816 ----a-w- c:\windows\sed.exe
2011-02-11 18:35:05 89088 ----a-w- c:\windows\MBR.exe
2011-02-11 18:35:05 256512 ----a-w- c:\windows\PEV.exe
2011-02-11 18:35:05 161792 ----a-w- c:\windows\SWREG.exe
2011-02-11 18:12:00 -------- dc-h--w- c:\windows\ie8
2011-02-11 17:45:55 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2011-02-11 17:45:55 -------- d-----w- c:\program files\Belarc
2011-02-11 16:30:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2011-02-11 16:26:57 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-11 16:26:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-02-11 15:49:27 -------- d-----w- c:\program files\common files\Software Update Utility
2011-02-11 14:23:29 53248 ----a-r- c:\docume~1\jackgi~1\applic~1\microsoft\installer\{3ee9bcae-e9a9-45e5-9b1c-83a4d357e05c}\ARPPRODUCTICON.exe
2011-02-11 14:23:13 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2011-02-10 21:22:28 7424 ----a-w- c:\windows\system32\drivers\Amusbdev.sys
2011-02-10 21:22:28 6656 ----a-w- c:\windows\system32\drivers\Amfilter.sys
2011-02-10 21:22:28 12800 ----a-w- c:\windows\system32\drivers\Amusbprt.sys
2011-02-10 21:22:28 12800 ----a-w- c:\windows\system32\drivers\Amps2prt.sys
2011-02-10 21:20:49 981528 ----a-w- c:\windows\system32\heciudlg.exe
2011-02-10 21:20:05 -------- d-----w- C:\teac
2011-02-10 21:16:09 319456 ----a-w- c:\windows\system32\difxapi.dll
2011-02-10 21:16:09 -------- d-----w- c:\windows\system32\Lang
2011-02-10 21:16:03 -------- d-----w- C:\Intel
2011-02-10 21:14:32 49152 ----a-w- c:\windows\system32\DSndUp.exe
2011-02-10 21:14:26 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iKernel.dll
2011-02-10 21:14:26 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\ctor.dll
2011-02-10 21:14:26 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\DotNetInstaller.exe
2011-02-10 21:14:26 303236 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\setup.dll
2011-02-10 21:14:26 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iscript.dll
2011-02-10 21:14:26 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iGdi.dll
2011-02-10 21:14:26 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\00\intel32\iuser.dll
2011-02-10 21:03:35 -------- d-----w- c:\program files\WinAce
2011-02-10 18:47:33 -------- d-----w- c:\docume~1\jackgi~1\applic~1\TuneUp Software
2011-02-10 18:17:43 15360 ----a-w- c:\windows\system32\ctfmon.exe.backup
2011-02-10 05:13:43 -------- d-----w- c:\docume~1\jackgi~1\applic~1\IObit
2011-02-10 04:31:32 -------- d-----w- c:\program files\IObit
2011-02-09 21:27:51 -------- d-----w- c:\docume~1\jackgi~1\applic~1\Malwarebytes
2011-02-09 21:27:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-09 20:00:16 -------- d-----w- c:\docume~1\jackgi~1\applic~1\ElevatedDiagnostics
2011-02-09 00:25:40 5183 ----a-w- c:\windows\system32\drivers\usbu2a.sys
2011-02-09 00:25:40 -------- d-----w- C:\USBStorage
2011-02-09 00:21:22 593920 ------w- c:\windows\system32\ati2sgag.exe
2011-02-09 00:20:47 47104 ----a-w- c:\windows\system32\amdpcom32.dll
2011-02-09 00:20:47 19968 ----a-w- c:\windows\system32\atiadlxx.dll
2011-02-08 23:24:07 -------- d-----w- c:\docume~1\alluse~1\applic~1\Driver Boost
2011-02-08 20:55:55 -------- d-----w- c:\docume~1\jackgi~1\applic~1\Logishrd
2011-01-21 18:15:06 819200 ----a-w- c:\program files\windows media player\wmsetsdk.exe
2011-01-21 18:15:06 47616 ----a-w- c:\program files\windows media player\msoobci.dll
2011-01-21 18:13:46 -------- d-----w- c:\docume~1\jackgi~1\locals~1\applic~1\Musicmatch
2011-01-21 15:26:39 -------- d-----w- c:\program files\NCH Software
2011-01-21 15:26:20 -------- d-----w- c:\program files\NCH Swift Sound
2011-01-21 14:44:37 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll
2011-01-20 15:22:04 -------- d-----w- c:\docume~1\jackgi~1\locals~1\applic~1\Help

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 21:13:50 106496 ----a-w- c:\windows\system32\ATL71.DLL
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ------w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 9:17:58.32 ===============

Attached Files


Edited by bstrange, 18 February 2011 - 01:47 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 18 February 2011 - 01:47 PM

Post removed due to Crossposts

Edited by fireman4it, 18 February 2011 - 02:01 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 18 February 2011 - 01:50 PM

Sorry, I was editing the original post to add the 2 required attachments and the DDS while you were replying, I really didn't expect a reply so fast! :)

Should I delete the other post in Am I Infected?

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 18 February 2011 - 02:03 PM

Hello bstrange,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions.


Let them know in Am I infected that you have started a Topic in here.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 18 February 2011 - 02:11 PM

I won't be doing anything additional unless specifically instructed to by you. I apologize for running combofix, prior to posting here, old habbits die hard and I knew I was doing so at my own risk. I haven't had any sort of infection I couldn't resolve on my own since '08 so I hadn't anticipated having to ask for help when I ran combofix.

Do you need any of my other logs from the lists of programs I ran prior to posting (from the list in my initial post)?

Should I delete my other post (http://www.bleepingcomputer.com/forums/topic379496.html) that I created in the wrong place?

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 18 February 2011 - 02:12 PM

Hello,


Let them know in Am I infected that you have started a Topic in here.

We are dealing with a pretty nasty infection.

1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

2.
Download PragmaFix and run it. A log will open up when done.

Note - when you run PragmaFix you need an active internet connection!

Post me the log please.

Edited by fireman4it, 18 February 2011 - 02:13 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 18 February 2011 - 02:18 PM

PragmaFix Log:

Fri 02/18/2011 14:15:34.95

HKLM\SYSTEM\ControlSet001\Services\PRAGMApxevsticxr
HKLM\SYSTEM\ControlSet002\Services\PRAGMApxevsticxr
HKLM\SYSTEM\CurrentControlSet\Services\PRAGMApxevsticxr


Tea Timer was never installed, SD Helper has been de-activated per your instructions :)

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 18 February 2011 - 03:32 PM

Hello,



Please delete the copy of Combofix you have on your desktop and do the following:

Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

2.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Things to include in your next reply::
Combofix.txt
Gmer log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 18 February 2011 - 05:04 PM

ComboFix ran w/o difficulty and removed a couple of files. On the GMER, I followed your instructions to the letter, it did a quick scan on execute, displayed a dozen or so entries in the window (including 1 rootkit) and asked me if I wanted to do a complete scan to which I clicked NO as instructed.

I left all the boxes as they come checked by default, and did not clear the check next to IAT/EAT (like it tells you to do in the preperation guide) since you did not request that I do that, I figured you wanted it to run using it's default settings. So I hit 'scan' as instructed, and it has been scanning for the past hour and a half.

The reason I am posting now is because it *appears* to be scanning every file even though I told it NO when it asked me if it should do a complete scan, so I thought I should check and make sure you were not looking for the quick report that pops up 2 seconds after clicking the .exe

The second reason I am posting is to let you know I am still with you and did not run off to do other things ;)

As soon as the scan finishes (it's in the i386 tree)I will post both logs.

Thanks!

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 18 February 2011 - 06:10 PM

Hello,


Im glad it is scanning completely that way it will get all those pragma entries.

Please post the Combofix.txt and gmer log for my review when they are ready.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 18 February 2011 - 07:24 PM

wow, just shy of 4 hours 0.0

here we are :)

ComboFix 11-02-17.02 - Jack Gilmore 02/18/2011 15:45:52.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1585 [GMT -5:00]
Running from: c:\documents and settings\Jack Gilmore\Desktop\Redeployment\bleep2\bleep2\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\JACKGI~1\LOCALS~1\Temp\SAS3.tmp
c:\docume~1\JACKGI~1\LOCALS~1\Temp\SAS4.tmp
c:\documents and settings\Jack Gilmore\Local Settings\Temp\SAS3.tmp
c:\documents and settings\Jack Gilmore\Local Settings\Temp\SAS4.tmp

.
((((((((((((((((((((((((( Files Created from 2011-01-18 to 2011-02-18 )))))))))))))))))))))))))))))))
.

2011-02-18 19:15 . 2006-11-01 17:06 162616 ----a-w- c:\windows\RegDelNull.exe
2011-02-16 15:29 . 2011-02-16 18:03 -------- d-----w- c:\documents and settings\Jack Gilmore\DoctorWeb
2011-02-16 14:48 . 2011-02-16 14:48 -------- d-----w- c:\documents and settings\Jack Gilmore\Application Data\SUPERAntiSpyware.com
2011-02-16 14:48 . 2011-02-16 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-16 14:44 . 2011-02-16 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2011-02-16 14:44 . 2011-02-16 14:44 -------- d-----w- c:\program files\Security Task Manager
2011-02-14 02:06 . 2011-02-14 02:06 -------- d-----w- c:\program files\jv16 PowerTools 2009
2011-02-11 20:18 . 2011-02-11 20:18 -------- d-----w- c:\documents and settings\Jack Gilmore\Application Data\f-secure
2011-02-11 20:17 . 2011-02-11 20:17 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2011-02-11 19:58 . 2011-02-13 17:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-11 18:12 . 2011-02-11 18:12 -------- dc-h--w- c:\windows\ie8
2011-02-11 16:30 . 2011-02-18 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-02-11 16:30 . 2011-02-11 16:30 -------- d-----w- c:\program files\Alwil Software
2011-02-11 16:26 . 2011-02-11 16:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-11 16:26 . 2011-02-11 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-02-11 15:49 . 2011-02-11 15:49 -------- d-----w- c:\program files\Common Files\Software Update Utility
2011-02-11 14:23 . 2011-02-11 14:23 53248 ----a-r- c:\documents and settings\Jack Gilmore\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-02-11 14:23 . 2011-02-11 14:23 -------- d-----w- c:\documents and settings\Jack Gilmore\Application Data\Leadertech
2011-02-11 14:23 . 2010-08-24 17:30 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2011-02-10 21:22 . 2005-09-21 21:27 12800 ----a-w- c:\windows\system32\drivers\Amps2prt.sys
2011-02-10 21:22 . 2005-09-21 21:26 6656 ----a-w- c:\windows\system32\drivers\Amfilter.sys
2011-02-10 21:22 . 2005-09-21 21:25 12800 ----a-w- c:\windows\system32\drivers\Amusbprt.sys
2011-02-10 21:22 . 2004-08-25 22:09 7424 ----a-w- c:\windows\system32\drivers\Amusbdev.sys
2011-02-10 21:20 . 2009-10-29 20:31 981528 ----a-w- c:\windows\system32\heciudlg.exe
2011-02-10 21:20 . 2011-02-10 21:20 -------- d-----w- C:\teac
2011-02-10 21:16 . 2011-02-11 12:41 -------- d-----w- c:\windows\system32\Lang
2011-02-10 21:16 . 2006-11-10 15:25 319456 ----a-w- c:\windows\system32\difxapi.dll
2011-02-10 21:16 . 2011-02-10 21:16 -------- d-----w- C:\Intel
2011-02-10 21:14 . 2007-11-12 19:27 49152 ----a-w- c:\windows\system32\DSndUp.exe
2011-02-10 21:14 . 2011-02-10 21:14 303236 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\setup.dll
2011-02-10 21:14 . 2011-02-10 21:14 180356 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iGdi.dll
2011-02-10 21:14 . 2004-04-19 04:42 733184 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iKernel.dll
2011-02-10 21:14 . 2004-04-19 04:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\ctor.dll
2011-02-10 21:14 . 2004-04-19 04:39 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iscript.dll
2011-02-10 21:14 . 2004-04-19 04:39 172032 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\iuser.dll
2011-02-10 21:14 . 2004-04-19 04:39 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\00\Intel32\DotNetInstaller.exe
2011-02-10 21:03 . 2011-02-16 16:33 -------- d-----w- c:\program files\WinAce
2011-02-10 18:47 . 2011-02-10 18:47 -------- d-----w- c:\documents and settings\Jack Gilmore\Application Data\TuneUp Software
2011-02-10 18:17 . 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe.backup
2011-02-10 05:13 . 2011-02-10 05:13 -------- d-----w- c:\documents and settings\Jack Gilmore\Application Data\IObit
2011-02-10 04:31 . 2011-02-10 05:13 -------- d-----w- c:\program files\IObit
2011-02-09 21:27 . 2011-02-09 21:27 -------- d-----w- c:\documents and settings\Jack Gilmore\Application Data\Malwarebytes
2011-02-09 21:27 . 2011-02-09 21:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-09 20:00 . 2011-02-09 20:00 -------- d-----w- c:\documents and settings\Jack Gilmore\Application Data\ElevatedDiagnostics
2011-02-09 00:25 . 2011-02-09 00:46 -------- d-----w- C:\USBStorage
2011-02-09 00:25 . 2003-04-03 23:57 5183 ----a-w- c:\windows\system32\drivers\usbu2a.sys
2011-02-09 00:21 . 2008-04-10 02:05 593920 ------w- c:\windows\system32\ati2sgag.exe
2011-02-09 00:20 . 2008-04-10 15:22 47104 ----a-w- c:\windows\system32\amdpcom32.dll
2011-02-09 00:20 . 2008-04-10 15:17 19968 ----a-w- c:\windows\system32\atiadlxx.dll
2011-02-08 23:24 . 2011-02-08 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Boost
2011-02-08 20:55 . 2011-02-11 14:22 -------- d-----w- c:\documents and settings\Jack Gilmore\Application Data\Logishrd
2011-01-21 18:15 . 2005-01-28 18:44 819200 ----a-w- c:\program files\Windows Media Player\wmsetsdk.exe
2011-01-21 18:15 . 2005-01-28 18:44 47616 ----a-w- c:\program files\Windows Media Player\msoobci.dll
2011-01-21 18:14 . 2011-02-10 22:38 -------- d-----w- c:\documents and settings\Jack Gilmore\Application Data\Musicmatch
2011-01-21 18:13 . 2011-01-21 18:18 -------- d-----w- c:\documents and settings\Jack Gilmore\Local Settings\Application Data\Musicmatch
2011-01-21 15:26 . 2011-01-21 15:26 -------- d-----w- c:\program files\NCH Software
2011-01-21 15:26 . 2011-01-21 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2011-01-21 15:26 . 2011-01-21 15:26 -------- d-----w- c:\program files\NCH Swift Sound
2011-01-21 15:26 . 2011-01-21 15:26 -------- d-----w- c:\documents and settings\Jack Gilmore\Application Data\NCH Swift Sound
2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll
2011-01-20 15:22 . 2011-01-20 15:22 -------- d-----w- c:\documents and settings\Jack Gilmore\Local Settings\Application Data\Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-11 22:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-11 22:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-11 22:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 21:14 . 2010-12-28 21:14 57344 ----a-r- c:\documents and settings\Jack Gilmore\Application Data\Microsoft\Installer\{87441A59-5E64-4096-A170-14EFE67200C3}\ARPPRODUCTICON.exe
2010-12-28 21:13 . 2007-12-26 16:56 106496 ----a-w- c:\windows\system32\ATL71.DLL
2010-12-22 12:34 . 2004-08-11 22:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-11 22:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2004-08-11 22:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-11 22:00 385024 ------w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2004-08-11 22:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-11 22:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2004-08-11 22:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-04 03:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2011-01-22 46520]
"USBDetector"="c:\usbstorage\USBDetector.exe" [2003-04-01 53248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CS Connect Background Services.lnk - c:\wincsi\TOOLS\connectbgdl.exe [2010-1-20 228232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk
backup=c:\windows\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jack Gilmore^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Jack Gilmore\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2011-01-21 18:03 624056 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Synchronizer]
2011-01-21 21:14 738776 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2009-07-20 19:52 41264 ----a-w- c:\program files\Common Files\AOL\1228683287\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nikon Message Center 2]
2010-05-26 00:16 619008 ----a-w- c:\program files\Nikon\Nikon Message Center 2\NkMC2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2006-10-20 22:23 118784 ----a-w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2008-12-07 18:55 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\1228683287\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2/11/2011 9:23 AM 10448]
S2 iconmgr;IconManager;c:\teac\iconmgr\iconmgr.exe --> c:\teac\iconmgr\iconmgr.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - avast! Antivirus
*Deregistered* - BANTExt
.
Contents of the 'Scheduled Tasks' folder

2011-01-24 c:\windows\Tasks\goldenShakeIcon.job
- c:\program files\NCH Swift Sound\Golden\golden.exe [2011-01-21 15:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-UltraTax CS 2008 - c:\wincsi\UT08\UTUNINST.EXE
AddRemove-UltraTax CS 2009 - c:\wincsi\UT09\UTUNINST.EXE
AddRemove-UltraTax CS 2010 - c:\wincsi\UT10\UTUNINST.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-18 15:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-02-18 15:50:16
ComboFix-quarantined-files.txt 2011-02-18 20:50
ComboFix2.txt 2011-02-13 17:32

Pre-Run: 205,212,184,576 bytes free
Post-Run: 205,197,479,936 bytes free

- - End Of File - - C0A909D2D55E879AC1087BFA9EDBCA01


======================================================================


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-18 19:17:18
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-2 ST325031 rev.3.AD
Running: 612bj85v.exe; Driver: C:\DOCUME~1\JACKGI~1\LOCALS~1\Temp\pwldipod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwAllocateVirtualMemory [0xA07CA728] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwClose [0xA07D17EA] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwCreateKey [0xA07D16A2] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDeleteKey [0xA07D1CA8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDeleteValueKey [0xA07D1BBE] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDuplicateObject [0xA07D1276] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwFreeVirtualMemory [0xA07CA7D8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenKey [0xA07D177E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenProcess [0xA07D11B2] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenThread [0xA07D1218] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwProtectVirtualMemory [0xA07CA870] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwQueryValueKey [0xA07D18C2] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwRenameKey [0xA07D1D76] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwRestoreKey [0xA07D1880] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwSetValueKey [0xA07D1A04] <-- ROOTKIT !!!
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0xA08AD620] <-- ROOTKIT !!!

Code \??\C:\DOCUME~1\JACKGI~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C48 805044E4 4 Bytes JMP 7EA07D17
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB88C4000, 0x18FE04, 0xE8000020]
? System32\Drivers\aswTdi.SYS The system cannot find the path specified. !
? System32\Drivers\aswRdr.SYS The system cannot find the path specified. !
? C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS The system cannot find the file specified. !
? C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS The system cannot find the file specified. !
? System32\Drivers\aswSP.SYS The system cannot find the path specified. !
? System32\Drivers\Aavmker4.SYS The system cannot find the path specified. !
? System32\Drivers\aswFsBlk.SYS The system cannot find the path specified. !
? System32\Drivers\aswMon2.SYS The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\JACKGI~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\spoolsv.exe[416] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\spoolsv.exe[416] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\spoolsv.exe[416] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\spoolsv.exe[416] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\spoolsv.exe[416] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\spoolsv.exe[416] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\spoolsv.exe[416] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\spoolsv.exe[416] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\spoolsv.exe[416] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\spoolsv.exe[416] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\spoolsv.exe[416] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\spoolsv.exe[416] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\spoolsv.exe[416] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\spoolsv.exe[416] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\spoolsv.exe[416] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\winlogon.exe[644] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\services.exe[688] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\lsass.exe[700] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[864] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[884] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[932] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\svchost.exe[984] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1080] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1112] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1208] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\svchost.exe[1332] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\Ati2evxx.exe[1356] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[1412] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Java\jre6\bin\jqs.exe[1436] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe[1776] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\USBStorage\USBDetector.exe[1836] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1844] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wdfmgr.exe[2128] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\wanmpsvc.exe[2148] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe[2256] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\System32\alg.exe[3036] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 64D06950 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 64D069B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 64D0BB30 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 64D0BCB0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 64D0B9B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 64D0B720 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 64D0B8A0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 64D09D40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 64D07AE0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 64D07ED0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 64D08290 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 64D083C0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 64D06E40 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 64D072B0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)
.text C:\WINDOWS\system32\wscntfy.exe[3328] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 64D078E0 C:\Program Files\Alwil Software\Avast5\snxhk.dll (avast! snxhk/AVAST Software)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[688] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00600002
IAT C:\WINDOWS\system32\services.exe[688] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00600000
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1384] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS

Device \FileSystem\Fastfat \Fat 99FFAD20
Device \FileSystem\Fastfat \Fat 9A0018C1

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [644] 0x10000000
Library C:\Program (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE [1808] 0x10000000

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) PRAGMApxevsticxr <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMApxevsticxr
Reg HKLM\SYSTEM\ControlSet002\Services\PRAGMApxevsticxr (not active ControlSet)

---- EOF - GMER 1.0.15 ----

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 18 February 2011 - 11:52 PM

Hello,

Let's run PRagmafix again this time from command prompt.


1.

Use the Windows key + R to open a Run dialog box.
Copy and paste or Type the following in the Run box:

PragmaFix -auto

If your machine does not restart after this runs please restart it your self.

Use the Windows key + R to open a Run dialog box.
Copy and paste or Type the following in the Run box:

PragmaFix -status


Please post the log when finished.

2.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\winlogon.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 19 February 2011 - 02:11 AM

PragmaFix cleaned some things this time :)

PF Log

Sat 02/19/2011 1:55:54.82


HKLM\SYSTEM\ControlSet001\Services\PRAGMApxevsticxr

Delete? (y/n) Key successfully deleted.


HKLM\SYSTEM\ControlSet002\Services\PRAGMApxevsticxr

Delete? (y/n) Key successfully deleted.


I uploaded C:\WINDOWS\system32\winlogon.exe to http://virusscan.jotti.org/en and all 19 scanners reported nothing found. I couldn't find a way to save a Jotti log so I screen shotted it in case you needed any of the other information it listed like the MD5 etc.

Sorry it took me so long to reply, I thought you had left for the day, so I got a couple hours of sleep. I saw the notice when I got up to get a drink or I probably wouldn't have gotten to it till morning ;)

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 19 February 2011 - 02:55 AM

Hello,

Let's check to make sure that Pragma is gone and also get another Gmer log. I dint like the (hidden) with that Winlogon.exe in the previous log.


1.
Use the Windows key + R to open a Run dialog box.
Copy and paste or Type the following in the Run box:

PragmaFix -status


Please post the log when finished.



2.
Please run another Gmer scan.
I know it take along time but we need to make sure that rootkit is gone before we go any further or we are just wasting our time. :whistle:


Things to include in your next reply::
PRAGMA LOG
GMER LOG
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 bstrange

bstrange
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 19 February 2011 - 12:02 PM

Good Morning! here is the PF Status Report:
Sat 02/19/2011 1:55:54.82


HKLM\SYSTEM\ControlSet001\Services\PRAGMApxevsticxr

Delete? (y/n) Key successfully deleted.


HKLM\SYSTEM\ControlSet002\Services\PRAGMApxevsticxr

Delete? (y/n) Key successfully deleted.



Sat 02/19/2011 1:58:54.00

No embedded null keys found

Sat 02/19/2011 10:22:05.89

No embedded null keys found


I just started the GMER and the quick scan that occurrs seconds after clicking the exe showed nothing this time :) so I left all the boxes checked as before and started the scan. Judging from the last scan, it should finish sometime between 1:30 and 2:30 pm EST.

How is your machine running now?


Funny you should ask that question, as that is what IMO, makes this infection 'interesting'. The computer had been running well. Six month or so ago, it picked up Paladin Antivirus from a website but never displayed any of the usual symptoms. No popups, no fake virus scans, no redirects, no loss of internet connectivity. We became aware of the infection only after getting an email from our ISP stating that we were spreading viruses across their network and it demanded that we install Comodo antivirus.

I looked up Comodo, found that it was not a 'fake' AV and downloaded it directly from their site rather than the link provided by the ISP just to be safe (though the link in the email appeared to be legit). It scanned, picked up the Paladin and a couple other 'minor' threats and removed them without incident. As the PC had never shown any symptoms of infection, and the ISP sent an email stating everything looked fine on their end after installing Comodo, the cynical side of me assumed that either the infection was so trivial as to never display symptoms or that it was a marketing 'partnership' between the ISP and Comodo designed to boost Comodo sales since the ISP demanded the full blown Comodo Internet Securities package be installed rather than the free basic antivirus.

Whatever the case, the PC was moving well and still displaying no symptoms (and of course the ISP wasn't compalining any more) so like an idiot, I didn't run any additional scans or dig any further. Last week however, the two DVD drives quit working so I decided to give it some attention. I fixed both optical drives' registry errors (UpperFilters / LowerFilters) and got both drives working. I decided to do a full blown maintenance on the PC (long over due) and it was 'screaming' fast following the usual maintenance routine.

One of the last steps of the maintenance was to double check all of IE's settings and I found a number of them were altered and unchangable via IE's security tab with a message that they were being controlled by Group Policy. I accessed Group Policy, but the path "Windows Components\Internet Explorer" was not even present, in fact very few items were configurable in gpedit. The malware had removed all administrator templates for group policy editing. The following administrator templates had to be added: system.adm, conf.adm, inetres.adm, wmplayer.adm, wuau.adm. Once system.adm was added, I was able to override the changes it made to IE8 security.

At this point, it dawned on me to dig further so I ran an MBAM thorough scan that came up with the following:

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Value: 24d1ca9a-a864-4f7b-86fe-495eb56529d8 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Value: 7bde84a2-f58f-46ec-9eac-f1f90fead080 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\idln2 (Malware.Trace) -> Value: idln2 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\bk (Malware.Trace) -> Value: bk -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegistryMonitor1 (Trojan.Agent) -> Value: RegistryMonitor1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\RegistryMonitor2 (Malware.Trace) -> Value: RegistryMonitor2 -> Quarantined and deleted successfully.

Files Infected:
c:\program files\COMODO\comodo internet security\quarantine\689819.exe (Trojan.Dropper.Gen) -> Quarantined and deleted successfully.
c:\program files\COMODO\comodo internet security\quarantine\A0040433.exe (Spyware.Wemon) -> Quarantined and deleted successfully.
c:\program files\COMODO\comodo internet security\quarantine\svcnost.exe (Spyware.Wemon) -> Quarantined and deleted successfully.
c:\program files\COMODO\comodo internet security\quarantine\userinit.exe (Spyware.Wemon) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\pragmamfeklnmal.dll (Rootkit.TDSS) -> Delete on reboot.
c:\documents and settings\all users\favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\userinitxx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\jack gilmore\local settings\Temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\jack gilmore\local settings\temporary internet files\R205376.exe (Trojan.Agent) -> Quarantined and deleted successfully.

The subsequent MBAM scan following reboot came back clean and I assumed (/facepalm) that everything had been removed w/o incident.As some of the posts that I read stated that the optical drives' registry keys could have been corrupted by Comodo's registry guard (though I now believe this was a red herring) and since it had clearly missed a number of infections that (i *thought*) were cleaned by MBAM, I decided to remove the Comodo and install Avast. It installed w/o incident, ran it's boot scan and deleted:

File C:\Documents and Settings\Jack Gilmore\Local Settings\Temp\GLB22.tmp|>Wise0003.bin Error 42145 {Installer archive is corrupted.}
File C:\Documents and Settings\Jack Gilmore\My Documents\My Excel & Word Documents\AOL Downloads\America Online 7.0\setup.zip|>setup.mim|>PartNo_0#755158202 is infected by Win32:Klez-H [Wrm], Moved to chest
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\456V83GB\Notes2[1].pdf is infected by JS:Pdfka-gen [Expl], Moved to chest

I assumed they were either all really old traces, or outright False Positives (I mean come on, hehe Klez? Klez has been dead since '03 :) ) Whatever the case, the PC was still running great and I am thinking it's 100% clean so I go make some lunch. When I returned, Avast had flagged SVC:PRAGMApxevsticxr in it's realtime scan. a quick search on PRAGMA and I realized I had seriously underestimated my infection.

I ran combo fix on the 11th and it deleted:

c:\windows\system32\bszip.dll
-------\Legacy_PRAGMAPXEVSTICXR
-------\Service_PRAGMApxevsticxr
(I have omitted the full report to save space as this is already a novella lol, the full reports for all scans I did before posting here are available however if you want to look at them)

Looking back at the combofix log from the 11th, I noticed the following pertaining to the winlogon.exe so I am including it here as you had mentioned you were suspicious about that file:

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(6336)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\docume~1\JACKGI~1\LOCALS~1\Temp\connectbgdl.exe
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************

After reboot, I ran combofix again and it came back clean; but by then I was suspicious so I hit up eset and it found:

C:\WINDOWS\PRAGMApxevsticxr\PRAGMAc.dll a variant of Win32/Kryptik.EXT trojan cleaned by deleting - quarantined
C:\WINDOWS\PRAGMApxevsticxr\PRAGMAd.sys a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantined
C:\WINDOWS\PRAGMApxevsticxr\trz1D.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantined
C:\WINDOWS\PRAGMApxevsticxr\trz3.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantined
C:\WINDOWS\PRAGMApxevsticxr\trz7.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantined
on it's first run and:

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0000075.dll a variant of Win32/Kryptik.EXT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0000076.sys a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantined

on it's second. I hit up Fsecure online and it showed clean as well, so once again, I assumed all was well... 20 mins later, avast pops it's warning again.

I assumed there were probably registry keys infected still so after the third avast warning or so, I searched the registry and found:

LOCAL_MACHINE\software\ati technologies\cds\device\0\DeviceItem0082 : [Non-Plug and Play Drivers] -> [PRAGMApxevsticxr] (0x00000000)
CURRENT_USER\software\microsoft\internet explorer\explorer bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU\000 : PRAGMAd
HKEY_CURRENT_USER\software\microsoft\internet explorer\explorer bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU\001 : PRAGMAd.sys

Which oddly enough, deleted without 3rd party tools. I rebooted the system and it looked clean for about 20 minutes before avast cought the rootkit again.

At this point, I tried Kaspersky's TDSS Killer which found nothing. Root Repeal found a number of drivers (including itself):

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F0B000 Size: 96512 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA9AB8000 Size: 815104 File Visible: No Signed: -
Status: -

Name: iaStor.sys
Image Path: iaStor.sys
Address: 0xB9E44000 Size: 815104 File Visible: - Signed: -
Status: Hidden from the Windows API!

and a hidden service (this is what Avast realtime keeps flagging I believe):

Service Name: PRAGMApxevsticxr
Image Path: C:\WINDOWS\system32\drivers\PRAGMApxevsticxr.sys

and then finally, ran Dr. Web's Cure IT which found (what I believe are all false positives - all flagged as "probably backdoor trojan")that I plan to restore once we get it cleaned up unless you advise against it:

C:\Program Files\AOL\Installers\ASP 2.0\setup.exe - incurable - deleted
C:\Program Files\Common Files\AOL\1228683287\ee\services\antiSpyware\ver2_4_6_1\resources\ppctl.dll - incurable - deleted
C:\Program Files\Common Files\Scanner\ppctl.dll - incurable - deleted
C:\WinCSI\TOOLS\UnInst.exe - moved
C:\WinCSI\TOOLS\UTLic06\UnInst.exe - moved
C:\WinCSI\TOOLS\UTLic07\UnInst.exe - moved
C:\WinCSI\TOOLS\UTLic08\UnInst.exe - moved
C:\WinCSI\TOOLS\UTLic09\UnInst.exe - moved
C:\WinCSI\TOOLS\UTLic10\UnInst.exe - moved
C:\WinCSI\UT06\UTUNINST.EXE - moved
C:\WinCSI\UT07\UTUNINST.EXE - moved
C:\WinCSI\UT08\UTUNINST.EXE - moved
C:\WinCSI\UT09\UTUNINST.EXE - moved
C:\WinCSI\UT10\UTUNINST.EXE - moved

Lastly, I had run rkill several times and it had shut down some interesting things each time:

C:\DOCUME~1\JACKGI~1\LOCALS~1\Temp\connectbgdl.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\grpconv.exe (maybe this is the routine that affected my Group Policy??)


Hehe so there you have it (told you it was a novella)
I bet you wish you wouldn't have asked :P

I wouldn't have wasted your time for readin all that, or my time posting all that, but this infection has behaved so atypically from what I usually see, I actually found it very interesting :blink:

[Edit to add:] In any instance that Avast realtime scanner reports and then deletes the Rootkit and actually enters it into the log file the "Result" lists the following error "1381 The maximum number of secrets that may be stored in a single system has been exceeded." This has not occurred within the last half dozen times since uninstalling and reinstalling Avast; however, the detection and removal is no longer being listed in the logs either, so of course if there is no record, there is obviously no error...

Edited by bstrange, 19 February 2011 - 12:10 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users