Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

javascript 6 infected me with a malware/win32 plz help


  • This topic is locked This topic is locked
17 replies to this topic

#1 SimoDarkman

SimoDarkman

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 20 March 2011 - 07:12 PM

hello everybody recently my pc was running very great until i did a javascript v6 updates and then my internet connection keeps stoping every 15 or 20 mins and then when i want to connect it once again it won't,the icon of Internet ADSL won't show even thought i do click on it so i have to restart it , i did format it 4 times and i performed many scan boot with avast it says malware and win32 but they still coming back anyone could give me a hand plz ?

Edited by Budapest, 20 March 2011 - 07:33 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~BP


BC AdBot (Login to Remove)

 


#2 SimoDarkman

SimoDarkman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 22 March 2011 - 06:42 AM

hello everybody recently my pc was running very great until i did a javascript v6 updates and then my internet connection keeps stoping every 15 or 20 mins and then when i want to connect it once again it won't,the icon of Internet ADSL won't show even thought i do click on it so i have to restart it , i did format it 4 times and i performed many scan boot with avast it says malware and win32 but they still coming back anyone could give me a hand plz ? btw here's my log with combofix :



ComboFix 11-03-21.02 - Administrateur 22/03/2011 11:09:46.1.2 - x86 MINIMAL
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.510.277 [GMT 1:00]
Lancé depuis: c:\documents and settings\Administrateur\Bureau\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 110321-1] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\nigzss.txt
c:\windows\repsvc.exe
c:\windows\system32\channels
c:\windows\system32\dmu.dll
c:\windows\system32\download
c:\windows\system32\e.exe
c:\windows\system32\logs
c:\windows\system32\mirc.exe
c:\windows\system32\mirc.ini
c:\windows\system32\sounds
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-02-22 au 2011-03-22 ))))))))))))))))))))))))))))))))))))
.
.
2011-03-22 09:50 . 2011-03-22 09:50 -------- d-----w- C:\sh4ldr
2011-03-21 23:06 . 2011-03-21 23:06 212992 --sh--w- C:\repsvc.exe
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
.
[-] 2004-08-18 . 7B11118B078B88F87183FE69EDA43137 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2005-01-14 . 05E8F98BC17FCCE18D7DB332A81B8DDE . 395776 . . [5.1.2600.2595] . . c:\windows\system32\rpcss.dll
.
[-] 2004-10-14 . 10E00BA1679CBB0764EAFF63ACC3E44E . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[7] 2004-08-04 . 97668958194B82F5B88EABC88ACA5AE1 . 1050624 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[7] 2001-08-24 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
.
[-] 2005-03-10 . E908FC09D79479E827F34C7BDF5E606E . 3011072 . . [6.00.2900.2627] . . c:\windows\system32\mshtml.dll
.
[-] 2005-04-15 . C34920EB988CE98910BD6B0417F334EB . 578048 . . [5.1.2600.2622] . . c:\windows\system32\user32.dll
.
[-] 2005-03-10 . 06AD0B0F43286CD50AF283762EB56763 . 662016 . . [6.00.2900.2627] . . c:\windows\system32\wininet.dll
.
[-] 2004-10-14 . F14E8C29A1045D115E308D30E825A1EB . 1036288 . . [6.00.2900.2527] . . c:\windows\explorer.exe
.
[-] 2005-01-14 . 19E13AD50259E7178D912F7519ADD5ED . 1284608 . . [5.1.2600.2595] . . c:\windows\system32\ole32.dll
.
[-] 2005-04-15 . 90E59ECF2D0541312C9EB36568810588 . 2017280 . . [5.1.2600.2622] . . c:\windows\system32\ntkrnlpa.exe
.
[-] 2005-04-15 . 9DBD1EC6031E41EE60C688AFE70DA584 . 2277376 . . [5.1.2600.2622] . . c:\windows\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SuperCopier.exe"="c:\program files\SuperCopier\SuperCopier.exe" [2003-04-24 683520]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2010-11-05 4098904]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"NilAFkDMv21qL"="\repsvc.exe" [2011-03-21 212992]
.
c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2011-3-21 962661]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"ClearDocsOnExit"= 64 (0x40)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"ClearDocsOnExit"= 64 (0x40)
"ForceClassicControlPanel"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eSzWCNP0sBcDE]
2011-03-21 23:06 212992 --sh--w- C:\repsvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NilAFkDMv21qL]
2011-03-21 23:06 212992 --sh--w- C:\repsvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
2004-10-11 13:54 589824 ----a-w- c:\program files\VIA\RAID\raid_tool.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Remote Registry Service]
2011-03-21 23:06 212992 ----a-w- c:\windows\system32\repsvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
.
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [21/03/2011 21:03 114768]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21/03/2011 21:03 20560]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [05/11/2010 17:53 327000]
.
--- Autres Services/Pilotes en mémoire ---
.
*NewlyCreated* - ADILOADER
.
.
------- Examen supplémentaire -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.google.fr/
TCP: {D2F42AEF-C11B-4FD7-B3CB-58A5DF08F9DE} = 62.251.229.237 62.251.229.223
.
- - - - ORPHELINS SUPPRIMES - - - -
.
HKLM-Run-UpdateShield - c:\windows\System32\r2c\mIRC.exe
AddRemove-mIRC - c:\windows\System32\mirc.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 11:12
Windows 5.1.2600 Service Pack 2 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): Le processus ne peut pas accéder au fichier car ce fichier est utilisé par un autre processus.
device: opened successfully
user: error reading MBR
kernel: MBR read successfully
user != kernel MBR !!!
.
**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'winlogon.exe'(236)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\documents and settings\Administrateur\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Administrateur\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
.
Heure de fin: 2011-03-22 11:14:54
ComboFix-quarantined-files.txt 2011-03-22 10:14
.
Avant-CF: 28 396 576 768 octets libres
Après-CF: 28 411 932 672 octets libres
.
- - End Of File - - 1D9E7D74D6B6CF7C615269592CFC7AFA

Edited by Orange Blossom, 23 March 2011 - 08:07 PM.
Merged topics and moved result to log forum. ~ OB


#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 25 March 2011 - 09:45 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 SimoDarkman

SimoDarkman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 26 March 2011 - 06:58 PM

ok my friend i will wait for you , that virus realy drives me crazy

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 26 March 2011 - 07:16 PM

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.


Can you start with a TDSSKiller scan

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#6 SimoDarkman

SimoDarkman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 29 March 2011 - 08:01 AM

ok my friend , i did scan but found nothing at all , heere's the log :

2011/03/29 16:27:36.0250 3592 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/29 16:27:36.0781 3592 ================================================================================
2011/03/29 16:27:36.0781 3592 SystemInfo:
2011/03/29 16:27:36.0781 3592
2011/03/29 16:27:36.0781 3592 OS Version: 5.1.2600 ServicePack: 2.0
2011/03/29 16:27:36.0781 3592 Product type: Workstation
2011/03/29 16:27:36.0781 3592 ComputerName: URANIUMOFCOURSE
2011/03/29 16:27:36.0781 3592 UserName: Administrateur
2011/03/29 16:27:36.0781 3592 Windows directory: C:\WINDOWS
2011/03/29 16:27:36.0781 3592 System windows directory: C:\WINDOWS
2011/03/29 16:27:36.0781 3592 Processor architecture: Intel x86
2011/03/29 16:27:36.0781 3592 Number of processors: 2
2011/03/29 16:27:36.0781 3592 Page size: 0x1000
2011/03/29 16:27:36.0781 3592 Boot type: Normal boot
2011/03/29 16:27:36.0781 3592 ================================================================================
2011/03/29 16:27:37.0078 3592 Initialize success
2011/03/29 16:27:45.0640 3644 ================================================================================
2011/03/29 16:27:45.0640 3644 Scan started
2011/03/29 16:27:45.0640 3644 Mode: Manual;
2011/03/29 16:27:45.0640 3644 ================================================================================
2011/03/29 16:27:46.0078 3644 Aavmker4 (83631291adf2887cffc786d034d3fa15) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/03/29 16:27:46.0562 3644 ACPI (0bd94fbfc14ea3606cd6ca4c0255baa3) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/29 16:27:46.0687 3644 ACPIEC (e4abc1212b70bb03d35e60681c447210) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/29 16:27:46.0843 3644 ADILOADER (6278ab04aae16c1438f3c4d34706c3b7) C:\WINDOWS\system32\Drivers\adildr.sys
2011/03/29 16:27:47.0031 3644 adiusbaw (cf4304ae140e9574ba91475239ed5e99) C:\WINDOWS\system32\DRIVERS\adiusbaw.sys
2011/03/29 16:27:47.0390 3644 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2011/03/29 16:27:47.0515 3644 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2011/03/29 16:27:48.0421 3644 ALCXWDM (9a0a8e525c50b732ea0f8f0b597a95f9) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/03/29 16:27:49.0640 3644 aswFsBlk (1c2e6bb4fe8621b1b863855b02bc33eb) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/03/29 16:27:49.0796 3644 aswMon2 (452d0ecd14fa02f9b061f42c8a30dd49) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/03/29 16:27:49.0937 3644 aswRdr (b6a9373619d851be80fb5f1b5eed0d4e) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/03/29 16:27:50.0140 3644 aswSnx (9be41c1ae8bc481eb662d85c98d979c2) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/03/29 16:27:50.0328 3644 aswSP (4b1a54ba2bc5873a774df6b70ab8b0b3) C:\WINDOWS\system32\drivers\aswSP.sys
2011/03/29 16:27:50.0515 3644 aswTdi (c7f1cea32766184911293f4e1ee653f5) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/03/29 16:27:50.0640 3644 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/29 16:27:50.0734 3644 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/29 16:27:51.0062 3644 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/29 16:27:51.0234 3644 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/29 16:27:51.0359 3644 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/29 16:27:51.0500 3644 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/29 16:27:51.0750 3644 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/29 16:27:51.0890 3644 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/29 16:27:52.0015 3644 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/29 16:27:52.0812 3644 d344bus (1773dec9bd636e20950296838443a257) C:\WINDOWS\system32\DRIVERS\d344bus.sys
2011/03/29 16:27:53.0000 3644 d344prt (3eb5bcd7ebd22a840510b68cbb0c27de) C:\WINDOWS\system32\Drivers\d344prt.sys
2011/03/29 16:27:53.0500 3644 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/29 16:27:53.0687 3644 dmboot (e2d3b7620310fe56685f9b15a6b404b3) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/29 16:27:53.0843 3644 dmio (c77f5c20aa70197a69aa84baa9de43c8) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/29 16:27:53.0921 3644 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/29 16:27:54.0125 3644 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/29 16:27:54.0531 3644 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/29 16:27:54.0734 3644 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/29 16:27:54.0875 3644 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/29 16:27:55.0031 3644 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2011/03/29 16:27:55.0109 3644 Fips (8b121ff880683607ab2aef0340721718) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/29 16:27:55.0250 3644 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/29 16:27:55.0406 3644 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/03/29 16:27:55.0500 3644 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/29 16:27:55.0578 3644 Ftdisk (a86859b77b908c18c2657f284aa29fe3) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/29 16:27:55.0781 3644 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/29 16:27:55.0921 3644 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/29 16:27:56.0250 3644 HTTP (3247a2db333d1521680e6864a8295a47) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/29 16:27:56.0796 3644 i8042prt (d1efcbd693b5ba21314d06368c471070) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/29 16:27:57.0000 3644 IDMTDI (e82b5a40a3629a3e8645ef137b1b9de0) C:\WINDOWS\system32\DRIVERS\idmtdi.sys
2011/03/29 16:27:57.0156 3644 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/29 16:27:57.0703 3644 intelppm (dd5ad1e79ac26d3f8d8828ad4627f160) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/29 16:27:57.0843 3644 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/03/29 16:27:57.0937 3644 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/29 16:27:58.0078 3644 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/29 16:27:58.0218 3644 IpNat (5191673215c91ff13ceaa83ef8e9653f) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/29 16:27:58.0343 3644 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/29 16:27:58.0484 3644 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/29 16:27:58.0703 3644 isapnp (54632f1a7de61dc3615d756f2a90fa72) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/29 16:27:58.0875 3644 Kbdclass (e798705e8dc7fab596ef6bfdf167e007) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/29 16:27:59.0093 3644 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/29 16:27:59.0218 3644 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/29 16:27:59.0578 3644 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/29 16:27:59.0750 3644 Modem (5ac7e16f5b40a6da14b5f2b3ada4693e) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/29 16:27:59.0890 3644 Mouclass (7d4f19411bd941e1d432a99e24230386) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/29 16:28:00.0000 3644 mouhid (124d6846040c79b9c997f78ef4b2a4e5) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/29 16:28:00.0093 3644 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/29 16:28:00.0390 3644 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/29 16:28:00.0500 3644 MRxSmb (7b195060ff456fa65954c72c5c1640ff) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/29 16:28:00.0640 3644 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/29 16:28:00.0875 3644 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/29 16:28:01.0046 3644 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/29 16:28:01.0250 3644 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/29 16:28:01.0390 3644 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/29 16:28:01.0484 3644 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/29 16:28:01.0609 3644 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/29 16:28:01.0703 3644 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/29 16:28:01.0828 3644 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/29 16:28:01.0937 3644 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/29 16:28:02.0031 3644 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/29 16:28:02.0140 3644 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/29 16:28:02.0281 3644 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/29 16:28:02.0484 3644 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/29 16:28:02.0656 3644 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/29 16:28:02.0796 3644 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/29 16:28:03.0109 3644 nv (f7ee020dc255b40a83899c53d4147746) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/29 16:28:03.0312 3644 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/29 16:28:03.0406 3644 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/29 16:28:03.0515 3644 Parport (318696359ac7df48d1e51974ec527dd2) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/29 16:28:03.0609 3644 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/29 16:28:03.0703 3644 ParVdm (9575c5630db8fb804649a6959737154c) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/29 16:28:03.0875 3644 PCI (7c5da5c1ed801ad8b0309d5514f0b75e) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/29 16:28:04.0359 3644 Pcmcia (641da274e163617ea7a33506bc6da8e3) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/29 16:28:04.0562 3644 PCTCore (995e6bc3bb92bb4a9eb49a663c43b6cb) C:\WINDOWS\system32\drivers\PCTCore.sys
2011/03/29 16:28:04.0781 3644 pctDS (f820b4c61d1e591325b679d479d4eea4) C:\WINDOWS\system32\drivers\pctDS.sys
2011/03/29 16:28:05.0031 3644 pctEFA (acc8c15f3d59f17c5d903ff1de3b43d3) C:\WINDOWS\system32\drivers\pctEFA.sys
2011/03/29 16:28:06.0375 3644 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/29 16:28:06.0500 3644 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/29 16:28:06.0578 3644 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/29 16:28:07.0531 3644 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/29 16:28:07.0687 3644 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/29 16:28:07.0812 3644 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/29 16:28:07.0890 3644 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/29 16:28:08.0000 3644 Rdbss (d0fef8156d2d2fec557c100956d76887) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/29 16:28:08.0093 3644 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/29 16:28:08.0312 3644 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/29 16:28:08.0515 3644 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/29 16:28:08.0703 3644 redbook (2cc30b68dd62b73d444a41322cd7fc4c) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/29 16:28:08.0937 3644 sbbotdi (c6cf5d7e95fcb5730bfd0beee13e598b) C:\PROGRA~1\SPEEDB~1\sbbotdi.sys
2011/03/29 16:28:09.0156 3644 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/29 16:28:09.0312 3644 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/29 16:28:09.0421 3644 Serial (653201755ca96ab4aaa4131daf6da356) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/29 16:28:09.0546 3644 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/29 16:28:10.0140 3644 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/29 16:28:10.0328 3644 sr (b52181023b827acda36c1b76751ebffd) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/29 16:28:10.0484 3644 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/29 16:28:10.0687 3644 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/29 16:28:10.0875 3644 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/29 16:28:11.0796 3644 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/29 16:28:11.0984 3644 Tcpip (7b11118b078b88f87183fe69eda43137) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/29 16:28:12.0140 3644 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/29 16:28:12.0312 3644 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/29 16:28:12.0468 3644 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/29 16:28:12.0906 3644 uagp35 (49c805d42d75eddc9b6a7130999c9054) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2011/03/29 16:28:13.0078 3644 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/29 16:28:13.0437 3644 Update (a4815a4884898f355a3513e60843a4fd) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/29 16:28:13.0640 3644 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/29 16:28:13.0796 3644 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/29 16:28:13.0968 3644 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/29 16:28:14.0062 3644 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/03/29 16:28:14.0234 3644 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/03/29 16:28:14.0421 3644 viamraid (f199939205dccc7836ae5ab8b5dd5e83) C:\WINDOWS\system32\DRIVERS\viamraid.sys
2011/03/29 16:28:14.0546 3644 VolSnap (313b1a0d5db26dfe1c34a6c13b2ce0a7) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/29 16:28:14.0734 3644 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/29 16:28:15.0109 3644 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/29 16:28:15.0390 3644 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/03/29 16:28:15.0656 3644 ================================================================================
2011/03/29 16:28:15.0656 3644 Scan finished
2011/03/29 16:28:15.0656 3644 ================================================================================
2011/03/29 16:28:33.0843 3588 Deinitialize success

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 29 March 2011 - 06:06 PM

Let's have an updated Combofix log. Please rerun Combofix, update it if it requests and post the log
Posted Image
m0le is a proud member of UNITE

#8 SimoDarkman

SimoDarkman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 31 March 2011 - 07:27 AM

ok my friend here it is :-) , btw while combofix was scaning it says " combofix has detected a rootkit activity "



ComboFix 11-03-30.02 - Administrateur 01/04/2011 12:15:17.1.2 - FAT32x86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.509.363 [GMT 2:00]
Lancé depuis: c:\documents and settings\Administrateur\Bureau\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Un nouveau point de restauration a été créé
.
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-03-01 au 2011-04-01 ))))))))))))))))))))))))))))))))))))
.
.
2011-03-29 22:41 . 2011-03-29 22:41 -------- d-----w- C:\FOUND.004
2011-03-29 22:31 . 2011-03-29 22:31 -------- d-----w- C:\FOUND.003
2011-03-29 12:27 . 2011-03-29 12:27 -------- d-----w- C:\FOUND.002
2011-03-28 16:32 . 2011-03-28 16:32 -------- d-----w- C:\FOUND.001
2011-03-28 12:17 . 2011-03-28 12:17 -------- d-----w- C:\FOUND.000
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-06 09:54 . 2011-03-27 12:15 2125 ----a-w- c:\windows\UDB.zip
.
.
------- Sigcheck -------
.
[-] 2004-08-18 . A3886230C2B22BF4D3C452B90B1C45CB . 359808 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2005-01-14 . 05E8F98BC17FCCE18D7DB332A81B8DDE . 395776 . . [5.1.2600.2595] . . c:\windows\system32\rpcss.dll
.
[-] 2004-10-13 . 10E00BA1679CBB0764EAFF63ACC3E44E . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[7] 2004-08-04 . 97668958194B82F5B88EABC88ACA5AE1 . 1050624 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[7] 2001-08-24 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
.
[-] 2005-03-09 . E908FC09D79479E827F34C7BDF5E606E . 3011072 . . [6.00.2900.2627] . . c:\windows\system32\mshtml.dll
.
[-] 2005-04-15 . C34920EB988CE98910BD6B0417F334EB . 578048 . . [5.1.2600.2622] . . c:\windows\system32\user32.dll
.
[-] 2005-03-10 . 06AD0B0F43286CD50AF283762EB56763 . 662016 . . [6.00.2900.2627] . . c:\windows\system32\wininet.dll
.
[-] 2004-10-13 . F14E8C29A1045D115E308D30E825A1EB . 1036288 . . [6.00.2900.2527] . . c:\windows\explorer.exe
.
[-] 2005-01-14 . 19E13AD50259E7178D912F7519ADD5ED . 1284608 . . [5.1.2600.2595] . . c:\windows\system32\ole32.dll
.
[-] 2005-04-15 . 90E59ECF2D0541312C9EB36568810588 . 2017280 . . [5.1.2600.2622] . . c:\windows\system32\ntkrnlpa.exe
.
[-] 2005-04-15 . 9DBD1EC6031E41EE60C688AFE70DA584 . 2277376 . . [5.1.2600.2622] . . c:\windows\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2010-07-29 13:04 70264 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-07-28 3241312]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-02-23 3451496]
"autoclk"="autoclk.exe" [2003-01-30 143360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-04-01 86016]
"PCTools FGuard"="c:\program files\PC Tools Security\BDT\FGuard.exe" [2011-01-07 108496]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 577536]
"SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2011-03-28 2705008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2011-3-27 962661]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"ClearDocsOnExit"= 64 (0x40)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"ClearDocsOnExit"= 64 (0x40)
"ForceClassicControlPanel"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
2003-12-27 18:43 81920 ----a-w- c:\program files\D-Tools\daemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-04-01 14:16 1495040 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2005-03-01 09:33 3551744 ----a-w- c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 12:49 249064 ----a-w- c:\program files\Fichiers communs\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"mnmsrvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\serivces.exe"=
"c:\\WINDOWS\\System32\\fewh.exe"=
.
R0 d344bus;d344bus;c:\windows\system32\drivers\d344bus.sys [27/03/2011 02:14 137216]
R0 d344prt;d344prt;c:\windows\system32\drivers\d344prt.sys [27/03/2011 02:14 5248]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [27/03/2011 14:11 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [27/03/2011 14:11 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [27/03/2011 14:11 656320]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [27/03/2011 03:31 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [27/03/2011 02:27 301528]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [29/07/2010 15:07 74080]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [30/03/2011 02:02 2964312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [27/03/2011 02:27 19544]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [27/03/2011 14:15 247760]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe [27/03/2011 14:24 632792]
R2 PlugPlayCM;Plug and Play Manager;c:\windows\system32\serivces.exe [30/03/2011 19:17 47616]
R2 sbbotdi;sbbotdi;c:\progra~1\SPEEDB~1\sbbotdi.sys [28/03/2011 03:10 35584]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [30/03/2011 02:02 73728]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [27/03/2011 14:11 366840]
.
Contenu du dossier 'Tâches planifiées'
.
2011-03-27 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2011-03-27 12:23]
.
2011-03-27 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2011-03-27 11:11]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
uLocal Page =
mSearch Bar =
uInternet Connection Wizard,ShellNext = hxxp://www.google.fr/
uSearchAssistant =
uCustomizeSearch =
IE: Télécharger avec IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: Télécharger le contenu de video FLV avec IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Télécharger tous les liens avec IDM - c:\program files\Internet Download Manager\IEGetAll.htm
LSP: c:\program files\Fichiers communs\PC Tools\Lsp\PCTLsp.dll
.
- - - - ORPHELINS SUPPRIMES - - - -
.
MSConfigStartUp-Remote Registry Service - repsvc.exe
MSConfigStartUp-rSuv2zH6uN4vc - \repsvc.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-01 12:22
Windows 5.1.2600 Service Pack 2 FAT NTAPI
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'lsass.exe'(792)
c:\program files\Fichiers communs\PC Tools\Lsp\PCTLsp.dll
.
- - - - - - - > 'explorer.exe'(3544)
c:\program files\Internet Download Manager\IDMShellExt.dll
.
Heure de fin: 2011-04-01 12:25:19
ComboFix-quarantined-files.txt 2011-04-01 10:25
.
Avant-CF: 27 770 847 232 octets libres
Après-CF: 27 796 013 056 octets libres
.
WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professionnel" /noexecute=optin /fastdetect
.
- - End Of File - - F74C1E292E9D73C44948B83D63BF1FC5

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 31 March 2011 - 06:16 PM

  • Please download WVCheck by Artellos from one of the mirrors below;

    Artellos.com (exe)
    Artellos.com (zip)

  • After the download, run WVCheck.exe
  • As indicated by the prompt, This program can take a while depending on your hard drive space.
  • Once the program is done, copy the contents of the notepad file as a reply.

Posted Image
m0le is a proud member of UNITE

#10 SimoDarkman

SimoDarkman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 01 April 2011 - 10:41 AM

here's it is friend , btw i scan took almost 20 seconds

Windows Validation Check
Version: 1.9.11.5
Log Created On: 1540_02-04-2011
-----------------------

Windows Information
-----------------------
Windows Version: Windows XP Service Pack 2
Windows Mode: Normal
Systemroot Path: C:\WINDOWS

WVCheck's Auto Update Check
-----------------------
Auto-Update Option: Do not download or install updates automatically.
-----------------------
Last success time for Automatic Updates for 'Detect', 'Download' and 'Install' could not be found.


WVCheck's Registry Check Check
-----------------------
Antiwpa: Not Found
-----------------------
Chew7Hale: Not Found
-----------------------


WVCheck's File Dump
-----------------------
WVCheck found no known bad files.


WVCheck's Dir Dump
-----------------------
WVCheck found no known bad directories.


WVCheck's Missing File Check
-----------------------
WVCheck found no missing Windows files.


WVCheck's HOSTS File Check
-----------------------
WVCheck found no bad lines in the hosts file.


WVCheck's MD5 Check
EXPERIMENTAL!!
-----------------------
user32.dll - c34920eb988ce98910bd6b0417f334eb


-------- End of File, program close at 1540_02-04-2011 --------

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 01 April 2011 - 07:15 PM

Please run MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#12 SimoDarkman

SimoDarkman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 02 April 2011 - 05:31 AM

here u go dear friend , btw i'm still facing that Internet ADSL icon disconnect and blocked and when i try to click on it , it escape so i have to restart the system all over again , it happend to me back in the days but with avast , i keept clicking on avast's icon but it escaped damn quickly plus it get disabled so i have to restart the system all over again and on and on........... but with that Internet ADSL won't go away even of scaning and formating bunchof times the same prob keeps coming back , it's a bad ass rootkit i've infected by but anyway here's the log :


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000007d

Kernel Drivers (total 122):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80720000 \WINDOWS\system32\hal.dll
0xF8A37000 \WINDOWS\system32\KDCOM.DLL
0xF8947000 \WINDOWS\system32\BOOTVID.dll
0xF84E7000 ACPI.sys
0xF8A39000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF84D6000 pci.sys
0xF8537000 isapnp.sys
0xF8A3B000 viaide.sys
0xF87B7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8547000 MountMgr.sys
0xF84B7000 ftdisk.sys
0xF8A3D000 dmload.sys
0xF8491000 dmio.sys
0xF87BF000 PartMgr.sys
0xF87C7000 videX32.sys
0xF8557000 VolSnap.sys
0xF8479000 atapi.sys
0xF8460000 viamraid.sys
0xF8448000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF8567000 disk.sys
0xF8577000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF8429000 fltMgr.sys
0xF8417000 sr.sys
0xF8400000 KSecDD.sys
0xF8373000 Ntfs.sys
0xF8346000 NDIS.sys
0xF8587000 uagp35.sys
0xF832B000 Mup.sys
0xF8647000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF8113000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF80FF000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF8657000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8667000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF80DC000 \SystemRoot\system32\DRIVERS\ks.sys
0xF8677000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8827000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF80B9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF882F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7CE2000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF7CBE000 \SystemRoot\system32\drivers\portcls.sys
0xF8687000 \SystemRoot\system32\drivers\drmk.sys
0xF8697000 \SystemRoot\system32\DRIVERS\fetnd5b.sys
0xF8837000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7C96000 \SystemRoot\system32\DRIVERS\serial.sys
0xF89E3000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7C82000 \SystemRoot\system32\DRIVERS\parport.sys
0xF86A7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF883F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8B9B000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF86B7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF89E7000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7C6B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF86C7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF86D7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF8847000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF7C5A000 \SystemRoot\system32\DRIVERS\psched.sys
0xF86E7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF884F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF8857000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7C29000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF86F7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF885F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8A41000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF7BCD000 \SystemRoot\system32\DRIVERS\update.sys
0xF8A0B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF8707000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF8717000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8A47000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF8867000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF8A49000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8B6D000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A4B000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8877000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF887F000 \SystemRoot\System32\drivers\vga.sys
0xF8A4D000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8A4F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF8887000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF888F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF82F3000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF69D2000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF697A000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF6931000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF8737000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xF8747000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF6909000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF8897000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xF89CF000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF68E7000 \SystemRoot\System32\drivers\afd.sys
0xF8757000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF68BC000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF684D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF8767000 \SystemRoot\System32\Drivers\Fips.SYS
0xF6805000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF67A7000 \SystemRoot\System32\Drivers\aswSnx.SYS
0xF88AF000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF88B7000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7C01000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF8797000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF6A29000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF87A7000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF6A25000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF6767000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8A59000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6A19000 \SystemRoot\System32\drivers\Dxapi.sys
0xF88BF000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8C3B000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xF674B000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xF5681000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF55CB000 \SystemRoot\system32\DRIVERS\adiusbaw.sys
0xF4CC4000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xF49C7000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF8A71000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF4884000 \SystemRoot\system32\DRIVERS\srv.sys
0xF4847000 \SystemRoot\system32\drivers\wdmaud.sys
0xF7B6D000 \SystemRoot\system32\drivers\sysaudio.sys
0xF446F000 \SystemRoot\System32\Drivers\HTTP.sys
0xF212B000 \SystemRoot\system32\drivers\kmixer.sys
0x7C910000 \WINDOWS\system32\ntdll.dll

Processes (total 27):
0 System Idle Process
4 System
624 C:\WINDOWS\system32\smss.exe
672 csrss.exe
696 C:\WINDOWS\system32\winlogon.exe
740 C:\WINDOWS\system32\services.exe
752 C:\WINDOWS\system32\lsass.exe
900 C:\WINDOWS\system32\svchost.exe
980 svchost.exe
1032 C:\WINDOWS\system32\svchost.exe
1124 svchost.exe
1148 svchost.exe
1392 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1480 C:\WINDOWS\explorer.exe
1628 C:\WINDOWS\soundman.exe
1644 C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
1652 C:\WINDOWS\system32\ctfmon.exe
1672 C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
1884 C:\WINDOWS\system32\spoolsv.exe
180 C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe
320 C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
1240 alg.exe
2200 C:\WINDOWS\system32\wscntfy.exe
2472 C:\Program Files\Internet Explorer\iexplore.exe
3036 C:\Program Files\uTorrent\uTorrent.exe
3260 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
1420 C:\Documents and Settings\Administrateur\Bureau\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000007`52c65e00 (NTFS)

PhysicalDrive0 Model Number: ST3160021A, Rev: 8.01

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: 8637A6CD1F8DC55758E12C0B860CDE1133CA5719


Done!

Edited by SimoDarkman, 02 April 2011 - 05:33 AM.


#13 SimoDarkman

SimoDarkman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 02 April 2011 - 06:39 AM

i know now where's the rootkit is hidding , it's in the Kernel system if i get to deleted from there i will solve my problem , so any tip to get it out of the Kernel system ?

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 02 April 2011 - 01:47 PM

Run Gmer for me. TDSSKiller removes rootkits from the kernel - where all rootkits are found.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#15 SimoDarkman

SimoDarkman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:45 AM

Posted 03 April 2011 - 08:21 AM

ok here's the log but nothing was detected at all neither GMER or TDSSKiller :-(


GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-04 13:20:17
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST3160021A rev.8.01
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kgnyyfow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xF6849A68]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xF685189A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xF6851752]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xF6851D58]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xF6851C6E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xF6851326]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xF6849B18]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xF685182E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xF6851262]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xF68512C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xF6849BB0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xF6851972]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF6851E26]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xF6851930]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xF6851AB4]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF685E8DE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xF685E702]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xF685E83C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00150030
.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0015006C
.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 00380120
.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 003800E4
.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 003800A8
.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 00380030
.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 0038006C
.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 003901D4
.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 003900E4
.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 00390120
.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 0039015C
.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 00390198
.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 00390030
.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 0039006C
.text C:\Program Files\Fichiers communs\PC Tools\sMonitor\StartManSvc.exe[252] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 003900A8
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00150030
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0015006C
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 00380120
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 003800E4
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 003800A8
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 00380030
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 0038006C
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 003901D4
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 003900E4
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 00390120
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 0039015C
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 00390198
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 00390030
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 0039006C
.text C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe[356] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 003900A8
.text C:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00070030
.text C:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\winlogon.exe[684] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 002A01D4
.text C:\WINDOWS\system32\winlogon.exe[684] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 002A00E4
.text C:\WINDOWS\system32\winlogon.exe[684] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 002A0120
.text C:\WINDOWS\system32\winlogon.exe[684] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 002A015C
.text C:\WINDOWS\system32\winlogon.exe[684] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 002A0198
.text C:\WINDOWS\system32\winlogon.exe[684] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 002A0030
.text C:\WINDOWS\system32\winlogon.exe[684] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 002A006C
.text C:\WINDOWS\system32\winlogon.exe[684] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 002A00A8
.text C:\WINDOWS\system32\winlogon.exe[684] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\winlogon.exe[684] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\winlogon.exe[684] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\winlogon.exe[684] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\winlogon.exe[684] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 002A01D4
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 002A00E4
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 002A0120
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 002A015C
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 002A0198
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 002A0030
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 002A006C
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 002A00A8
.text C:\WINDOWS\system32\services.exe[728] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\services.exe[728] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\services.exe[728] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\services.exe[728] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\services.exe[728] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 002A01D4
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 002A00E4
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 002A0120
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 002A015C
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 002A0198
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 002A0030
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 002A006C
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 002A00A8
.text C:\WINDOWS\system32\lsass.exe[740] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\lsass.exe[740] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\lsass.exe[740] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\lsass.exe[740] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\lsass.exe[740] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[900] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[900] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 002A01D4
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 002A00E4
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 002A0120
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 002A015C
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 002A0198
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 002A0030
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 002A006C
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 002A00A8
.text C:\WINDOWS\system32\svchost.exe[900] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[900] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[900] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[900] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[900] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[956] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 002A01D4
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 002A00E4
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 002A0120
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 002A015C
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 002A0198
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 002A0030
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 002A006C
.text C:\WINDOWS\system32\svchost.exe[956] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 002A00A8
.text C:\WINDOWS\system32\svchost.exe[956] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[956] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[956] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[956] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[956] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 002B006C
.text C:\WINDOWS\System32\svchost.exe[1008] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\svchost.exe[1008] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 002A01D4
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 002A00E4
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 002A0120
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 002A015C
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 002A0198
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 002A0030
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 002A006C
.text C:\WINDOWS\System32\svchost.exe[1008] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 002A00A8
.text C:\WINDOWS\System32\svchost.exe[1008] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 002B0120
.text C:\WINDOWS\System32\svchost.exe[1008] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 002B00E4
.text C:\WINDOWS\System32\svchost.exe[1008] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\System32\svchost.exe[1008] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 002B0030
.text C:\WINDOWS\System32\svchost.exe[1008] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1092] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 002A01D4
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 002A00E4
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 002A0120
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 002A015C
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 002A0198
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 002A0030
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 002A006C
.text C:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 002A00A8
.text C:\WINDOWS\system32\svchost.exe[1092] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[1092] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[1092] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[1092] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[1092] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 002A01D4
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 002A00E4
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 002A0120
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 002A015C
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 002A0198
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 002A0030
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 002A006C
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 002A00A8
.text C:\WINDOWS\system32\svchost.exe[1124] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[1124] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[1124] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[1124] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[1124] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 002B006C
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1320] kernel32.dll!SetUnhandledExceptionFilter 7C810386 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\WINDOWS\Explorer.EXE[1444] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00090030
.text C:\WINDOWS\Explorer.EXE[1444] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0009006C
.text C:\WINDOWS\Explorer.EXE[1444] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 002B01D4
.text C:\WINDOWS\Explorer.EXE[1444] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 002B00E4
.text C:\WINDOWS\Explorer.EXE[1444] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 002B0120
.text C:\WINDOWS\Explorer.EXE[1444] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 002B015C
.text C:\WINDOWS\Explorer.EXE[1444] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 002B0198
.text C:\WINDOWS\Explorer.EXE[1444] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 002B0030
.text C:\WINDOWS\Explorer.EXE[1444] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 002B006C
.text C:\WINDOWS\Explorer.EXE[1444] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 002B00A8
.text C:\WINDOWS\Explorer.EXE[1444] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 002C0120
.text C:\WINDOWS\Explorer.EXE[1444] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 002C00E4
.text C:\WINDOWS\Explorer.EXE[1444] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 002C00A8
.text C:\WINDOWS\Explorer.EXE[1444] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 002C0030
.text C:\WINDOWS\Explorer.EXE[1444] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 002C006C
.text C:\WINDOWS\SOUNDMAN.EXE[1528] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00140030
.text C:\WINDOWS\SOUNDMAN.EXE[1528] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0014006C
.text C:\WINDOWS\SOUNDMAN.EXE[1528] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 00370120
.text C:\WINDOWS\SOUNDMAN.EXE[1528] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 003700E4
.text C:\WINDOWS\SOUNDMAN.EXE[1528] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 003700A8
.text C:\WINDOWS\SOUNDMAN.EXE[1528] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 00370030
.text C:\WINDOWS\SOUNDMAN.EXE[1528] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 0037006C
.text C:\WINDOWS\SOUNDMAN.EXE[1528] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 003801D4
.text C:\WINDOWS\SOUNDMAN.EXE[1528] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 003800E4
.text C:\WINDOWS\SOUNDMAN.EXE[1528] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 00380120
.text C:\WINDOWS\SOUNDMAN.EXE[1528] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 0038015C
.text C:\WINDOWS\SOUNDMAN.EXE[1528] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 00380198
.text C:\WINDOWS\SOUNDMAN.EXE[1528] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 00380030
.text C:\WINDOWS\SOUNDMAN.EXE[1528] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 0038006C
.text C:\WINDOWS\SOUNDMAN.EXE[1528] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 003800A8
.text C:\WINDOWS\system32\ctfmon.exe[1536] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 000A0030
.text C:\WINDOWS\system32\ctfmon.exe[1536] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 000A006C
.text C:\WINDOWS\system32\ctfmon.exe[1536] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\ctfmon.exe[1536] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\ctfmon.exe[1536] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\ctfmon.exe[1536] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\ctfmon.exe[1536] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\ctfmon.exe[1536] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\ctfmon.exe[1536] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\ctfmon.exe[1536] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\ctfmon.exe[1536] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\ctfmon.exe[1536] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\ctfmon.exe[1536] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\ctfmon.exe[1536] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\ctfmon.exe[1536] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 002C006C
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00150030
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0015006C
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 00390120
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 003900E4
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 003900A8
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 00390030
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 0039006C
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 003A01D4
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 003A00E4
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 003A0120
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 003A015C
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 003A0198
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 003A0030
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 003A006C
.text C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe[1544] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 003A00A8
.text C:\Program Files\uTorrent\uTorrent.exe[1552] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00330030
.text C:\Program Files\uTorrent\uTorrent.exe[1552] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0033006C
.text C:\Program Files\uTorrent\uTorrent.exe[1552] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 006701D4
.text C:\Program Files\uTorrent\uTorrent.exe[1552] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 006700E4
.text C:\Program Files\uTorrent\uTorrent.exe[1552] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 00670120
.text C:\Program Files\uTorrent\uTorrent.exe[1552] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 0067015C
.text C:\Program Files\uTorrent\uTorrent.exe[1552] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 00670198
.text C:\Program Files\uTorrent\uTorrent.exe[1552] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 00670030
.text C:\Program Files\uTorrent\uTorrent.exe[1552] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 0067006C
.text C:\Program Files\uTorrent\uTorrent.exe[1552] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 006700A8
.text C:\Program Files\uTorrent\uTorrent.exe[1552] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 00680120
.text C:\Program Files\uTorrent\uTorrent.exe[1552] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 006800E4
.text C:\Program Files\uTorrent\uTorrent.exe[1552] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 006800A8
.text C:\Program Files\uTorrent\uTorrent.exe[1552] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 00680030
.text C:\Program Files\uTorrent\uTorrent.exe[1552] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 0068006C
.text C:\Program Files\uTorrent\uTorrent.exe[1552] WS2_32.dll!GetAddrInfoW 719F2899 5 Bytes JMP 288FC460 C:\Program Files\SpeedBit Video Accelerator\Accelerator.dll (Accelerator/SpeedBit Ltd.)
.text C:\Program Files\uTorrent\uTorrent.exe[1552] WS2_32.dll!gethostbyname 719F4FD4 5 Bytes JMP 288FC800 C:\Program Files\SpeedBit Video Accelerator\Accelerator.dll (Accelerator/SpeedBit Ltd.)
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00140030
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0014006C
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 00370120
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 003700E4
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 003700A8
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 00370030
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 0037006C
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 003801D4
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 003800E4
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 00380120
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 0038015C
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 00380198
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 00380030
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 0038006C
.text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1572] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 003800A8
.text C:\WINDOWS\system32\spoolsv.exe[1976] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\spoolsv.exe[1976] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\spoolsv.exe[1976] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 002A01D4
.text C:\WINDOWS\system32\spoolsv.exe[1976] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 002A00E4
.text C:\WINDOWS\system32\spoolsv.exe[1976] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 002A0120
.text C:\WINDOWS\system32\spoolsv.exe[1976] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 002A015C
.text C:\WINDOWS\system32\spoolsv.exe[1976] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 002A0198
.text C:\WINDOWS\system32\spoolsv.exe[1976] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 002A0030
.text C:\WINDOWS\system32\spoolsv.exe[1976] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 002A006C
.text C:\WINDOWS\system32\spoolsv.exe[1976] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 002A00A8
.text C:\WINDOWS\system32\spoolsv.exe[1976] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\spoolsv.exe[1976] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\spoolsv.exe[1976] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\spoolsv.exe[1976] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\spoolsv.exe[1976] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\wscntfy.exe[2188] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\wscntfy.exe[2188] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\wscntfy.exe[2188] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\wscntfy.exe[2188] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\wscntfy.exe[2188] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\wscntfy.exe[2188] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\wscntfy.exe[2188] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\wscntfy.exe[2188] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 002D01D4
.text C:\WINDOWS\system32\wscntfy.exe[2188] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 002D00E4
.text C:\WINDOWS\system32\wscntfy.exe[2188] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 002D0120
.text C:\WINDOWS\system32\wscntfy.exe[2188] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 002D015C
.text C:\WINDOWS\system32\wscntfy.exe[2188] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 002D0198
.text C:\WINDOWS\system32\wscntfy.exe[2188] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 002D0030
.text C:\WINDOWS\system32\wscntfy.exe[2188] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 002D006C
.text C:\WINDOWS\system32\wscntfy.exe[2188] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 002D00A8
.text C:\Program Files\Opera\opera.exe[2600] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00150030
.text C:\Program Files\Opera\opera.exe[2600] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0015006C
.text C:\Program Files\Opera\opera.exe[2600] ADVAPI32.dll!SetServiceObjectSecurity 77E06BE1 5 Bytes JMP 003801D4
.text C:\Program Files\Opera\opera.exe[2600] ADVAPI32.dll!ChangeServiceConfigA 77E06CC9 5 Bytes JMP 003800E4
.text C:\Program Files\Opera\opera.exe[2600] ADVAPI32.dll!ChangeServiceConfigW 77E06E61 5 Bytes JMP 00380120
.text C:\Program Files\Opera\opera.exe[2600] ADVAPI32.dll!ChangeServiceConfig2A 77E06F61 5 Bytes JMP 0038015C
.text C:\Program Files\Opera\opera.exe[2600] ADVAPI32.dll!ChangeServiceConfig2W 77E06FE9 5 Bytes JMP 00380198
.text C:\Program Files\Opera\opera.exe[2600] ADVAPI32.dll!CreateServiceA 77E07071 5 Bytes JMP 00380030
.text C:\Program Files\Opera\opera.exe[2600] ADVAPI32.dll!CreateServiceW 77E07209 5 Bytes JMP 0038006C
.text C:\Program Files\Opera\opera.exe[2600] ADVAPI32.dll!DeleteService 77E07311 5 Bytes JMP 003800A8
.text C:\Program Files\Opera\opera.exe[2600] USER32.dll!UnhookWindowsHookEx 77D1F22E 5 Bytes JMP 00390120
.text C:\Program Files\Opera\opera.exe[2600] USER32.dll!SetWindowsHookExW 77D23DEA 5 Bytes JMP 003900E4
.text C:\Program Files\Opera\opera.exe[2600] USER32.dll!SetWindowsHookExA 77D311F1 5 Bytes JMP 003900A8
.text C:\Program Files\Opera\opera.exe[2600] USER32.dll!SetWinEventHook 77D317D0 5 Bytes JMP 00390030
.text C:\Program Files\Opera\opera.exe[2600] USER32.dll!UnhookWinEvent 77D31885 5 Bytes JMP 0039006C
.text C:\Program Files\Opera\opera.exe[2600] WS2_32.dll!GetAddrInfoW 719F2899 5 Bytes JMP 288FC460 C:\Program Files\SpeedBit Video Accelerator\Accelerator.dll (Accelerator/SpeedBit Ltd.)
.text C:\Program Files\Opera\opera.exe[2600] WS2_32.dll!gethostbyname 719F4FD4 5 Bytes JMP 288FC800 C:\Program Files\SpeedBit Video Accelerator\Accelerator.dll (Accelerator/SpeedBit Ltd.)
.text C:\Documents and Settings\Administrateur\Bureau\gmer.exe[3020] ntdll.dll!LdrLoadDll 7C9261CA 5 Bytes JMP 00150030
.text C:\Documents and Settings\Administrateur\Bureau\gmer.exe[3020] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 0015006C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[728] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005D0002
IAT C:\WINDOWS\system32\services.exe[728] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005D0000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

Edited by SimoDarkman, 03 April 2011 - 08:27 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users