Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Menu options dissapeared


  • This topic is locked This topic is locked
25 replies to this topic

#1 mr benn

mr benn

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 AM

Posted 22 March 2011 - 04:57 PM

I seemed to pick up a virus this afternoon. Avast alerted it to me , then some sort of system recovery kicked in (not sure if it was spoof or not - so i just switched off the pc).

I have now run Super Anti-spyware and Malwarebytes (see log attached).

I can now log in okay nd run IE okay. However, a load of the programs are now missing whn i click on start /all programs. For example Microsoft office, and the Systems Tools in Accessories is empty.
Ive also lost the shortcuts I had in my system tray.

I have tried a system restore - but that hasnt made any difference.

Windows XP 2002 sp3
Patriot 2980

BC AdBot (Login to Remove)

 


#2 mr benn

mr benn
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 AM

Posted 22 March 2011 - 05:34 PM

I cant see the option to add an attachment - so please see Malware-bytes file results below ....


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6135

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

22/03/2011 21:03:08
mbam-log-2011-03-22 (21-03-08).txt

Scan type: Full scan (C:\|)
Objects scanned: 307580
Time elapsed: 46 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EiFFCEDNieigqPO (Trojan.Downloader) -> Value: EiFFCEDNieigqPO -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\eiffcednieigqpo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\DADDY\local settings\temp\ldr86e1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{179001e5-6952-451b-a2f3-ccaca9c8cc55}\RP1222\A0759730.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\system volume information\_restore{179001e5-6952-451b-a2f3-ccaca9c8cc55}\RP1222\A0760733.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.

#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:43 AM

Posted 26 March 2011 - 03:08 PM

Hello,

And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.

Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


SUPERAntiSpyware:

Please download and scan with SUPERAntiSpyware Free

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Instructions:

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now GMER

GMER does not work in 64bit Mode!!!!!!

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.



#4 mr benn

mr benn
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 AM

Posted 28 March 2011 - 03:26 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5892

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

27/02/2011 15:18:23
mbam-log-2011-02-27 (15-18-23).txt

Scan type: Full scan (C:\|)
Objects scanned: 298299
Time elapsed: 44 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pIfAhMp06308 (Trojan.FakeAlert) -> Value: pIfAhMp06308 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\pifahmp06308\pifahmp06308.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

-----------------------------------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Loghttp://www.superantispyware.com

Generated 03/28/2011 at 07:17 PM

Application Version : 4.47.1000

Core Rules Database Version : 6690
Trace Rules Database Version: 4502

Scan type : Complete Scan
Total Scan Time : 01:39:58

Memory items scanned : 278
Memory threats detected : 0
Registry items scanned : 7346
Registry threats detected : 0
File items scanned : 87476
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\DADDY\Cookies\daddy@atdmt[1].txt

---------------------------------------------------------------------

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-28 20:53:16
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6Y080L0 rev.YAR41BW0
Running: 921mzz9u.exe; Driver: C:\DOCUME~1\DADDY\LOCALS~1\Temp\fwlyrpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xB4ED19CA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xB4F76A68]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xB4EF1AF5]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xB4ED3EAC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xB4ED3F04]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xB4ED401A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xB4EF14A9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xB4ED3E02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xB4ED3F54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xB4ED3E56]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xB4ED3FC8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xB4ED19EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xB4EF21BB]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xB4EF2471]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xB4ED429E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB4EF2026]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB4EF1E91]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xB4F76B18]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xB4ED17B8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xB4ED1A12]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xB4ED4412]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xB4ED24AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xB4ED3EDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xB4ED3F2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xB4ED4044]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xB4EF1805]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xB4ED3E2E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xB4ED40D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xB4ED3F94]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xB4ED3E84]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xB4ED41BA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xB4ED3FF2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xB4F76BB0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xB4EF1D0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xB4ED2370]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xB4EF1B5E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB4F7EE26]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xB4EF0B1C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xB4ED1A36]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xB4ED1A5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xB4ED1812]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xB4ED194E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xB4EF22C2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xB4ED192A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xB4ED1972]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xB4ED1A7E]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB4F8B8DE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 34D 804E29B9 3 Bytes [EE, F7, B4]
PAGE ntoskrnl.exe!ObInsertObject 805650BA 5 Bytes JMP B4F88D38 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056BB08 4 Bytes CALL B4ED2E25 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8058124C 3 Bytes JMP B4F8B8E2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx + 4 80581250 3 Bytes [34, CC, CC] {XOR AL, 0xcc; INT 3 }
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805A038B 5 Bytes JMP B4F8729E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xB92CE510]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[220] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[220] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[220] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\svchost.exe[220] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\svchost.exe[220] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\svchost.exe[220] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\svchost.exe[220] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00140030
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0014006C
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003800E4
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380120
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003800A8
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00380030
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0038006C
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003901D4
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003900E4
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390120
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0039015C
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390198
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00390030
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0039006C
.text C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe[324] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003900A8
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003901D4
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003900E4
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390120
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0039015C
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390198
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00390030
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0039006C
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003900A8
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A00E4
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0120
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A00A8
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A0030
.text C:\Program Files\Java\jre6\bin\jqs.exe[336] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A006C
.text C:\Documents and Settings\DADDY\Desktop\921mzz9u.exe[544] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Documents and Settings\DADDY\Desktop\921mzz9u.exe[544] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00070030
.text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\winlogon.exe[584] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\winlogon.exe[584] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\winlogon.exe[584] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\winlogon.exe[584] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\winlogon.exe[584] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\winlogon.exe[584] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\winlogon.exe[584] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\winlogon.exe[584] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\winlogon.exe[584] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\winlogon.exe[584] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\winlogon.exe[584] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\winlogon.exe[584] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\winlogon.exe[584] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\services.exe[628] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\services.exe[628] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\services.exe[628] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\services.exe[628] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\services.exe[628] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\services.exe[628] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\services.exe[628] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\lsass.exe[640] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\lsass.exe[640] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\lsass.exe[640] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\lsass.exe[640] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\lsass.exe[640] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\svchost.exe[792] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[792] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[792] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\svchost.exe[792] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[792] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[792] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\svchost.exe[792] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\svchost.exe[792] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[792] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[792] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[792] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\svchost.exe[792] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\svchost.exe[792] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\svchost.exe[792] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\svchost.exe[792] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\svchost.exe[848] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\System32\svchost.exe[916] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\System32\svchost.exe[916] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\System32\svchost.exe[916] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\System32\svchost.exe[916] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\System32\svchost.exe[916] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[1096] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\svchost.exe[1096] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\svchost.exe[1096] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\svchost.exe[1096] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\svchost.exe[1096] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1232] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\WINDOWS\system32\spoolsv.exe[1528] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\spoolsv.exe[1528] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\spoolsv.exe[1528] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\spoolsv.exe[1528] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\spoolsv.exe[1528] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\spoolsv.exe[1528] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\spoolsv.exe[1528] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\spoolsv.exe[1528] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\System32\svchost.exe[1668] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\System32\svchost.exe[1668] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\Explorer.EXE[1676] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\Explorer.EXE[1676] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\Explorer.EXE[1676] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C01D4
.text C:\WINDOWS\Explorer.EXE[1676] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C00E4
.text C:\WINDOWS\Explorer.EXE[1676] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0120
.text C:\WINDOWS\Explorer.EXE[1676] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C015C
.text C:\WINDOWS\Explorer.EXE[1676] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0198
.text C:\WINDOWS\Explorer.EXE[1676] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C0030
.text C:\WINDOWS\Explorer.EXE[1676] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C006C
.text C:\WINDOWS\Explorer.EXE[1676] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C00A8
.text C:\WINDOWS\Explorer.EXE[1676] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D00E4
.text C:\WINDOWS\Explorer.EXE[1676] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0120
.text C:\WINDOWS\Explorer.EXE[1676] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D00A8
.text C:\WINDOWS\Explorer.EXE[1676] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D0030
.text C:\WINDOWS\Explorer.EXE[1676] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D006C
.text C:\WINDOWS\System32\svchost.exe[1716] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\svchost.exe[1716] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\System32\svchost.exe[1716] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\System32\svchost.exe[1716] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\System32\svchost.exe[1716] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\System32\svchost.exe[1716] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\System32\svchost.exe[1716] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\System32\svchost.exe[1716] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003900E4
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390120
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003900A8
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00390030
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0039006C
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A01D4
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A00E4
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0120
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A015C
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0198
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A0030
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A006C
.text C:\Program Files\Macrium\Reflect\ReflectService.exe[1760] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A00A8
.text C:\WINDOWS\system32\svchost.exe[1872] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1872] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[1872] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[1872] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\svchost.exe[1872] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\svchost.exe[1872] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\svchost.exe[1872] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\svchost.exe[1872] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\Program Files\QuickTime\QTTask.exe[1988] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Program Files\QuickTime\QTTask.exe[1988] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Program Files\QuickTime\QTTask.exe[1988] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003900E4
.text C:\Program Files\QuickTime\QTTask.exe[1988] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390120
.text C:\Program Files\QuickTime\QTTask.exe[1988] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003900A8
.text C:\Program Files\QuickTime\QTTask.exe[1988] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00390030
.text C:\Program Files\QuickTime\QTTask.exe[1988] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0039006C
.text C:\Program Files\QuickTime\QTTask.exe[1988] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A01D4
.text C:\Program Files\QuickTime\QTTask.exe[1988] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A00E4
.text C:\Program Files\QuickTime\QTTask.exe[1988] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0120
.text C:\Program Files\QuickTime\QTTask.exe[1988] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A015C
.text C:\Program Files\QuickTime\QTTask.exe[1988] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0198
.text C:\Program Files\QuickTime\QTTask.exe[1988] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A0030
.text C:\Program Files\QuickTime\QTTask.exe[1988] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A006C
.text C:\Program Files\QuickTime\QTTask.exe[1988] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A00A8
.text C:\WINDOWS\system32\ctfmon.exe[1996] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A0030
.text C:\WINDOWS\system32\ctfmon.exe[1996] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A006C
.text C:\WINDOWS\system32\ctfmon.exe[1996] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C01D4
.text C:\WINDOWS\system32\ctfmon.exe[1996] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\ctfmon.exe[1996] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\ctfmon.exe[1996] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C015C
.text C:\WINDOWS\system32\ctfmon.exe[1996] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0198
.text C:\WINDOWS\system32\ctfmon.exe[1996] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\ctfmon.exe[1996] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C006C
.text C:\WINDOWS\system32\ctfmon.exe[1996] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\ctfmon.exe[1996] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D00E4
.text C:\WINDOWS\system32\ctfmon.exe[1996] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0120
.text C:\WINDOWS\system32\ctfmon.exe[1996] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D00A8
.text C:\WINDOWS\system32\ctfmon.exe[1996] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D0030
.text C:\WINDOWS\system32\ctfmon.exe[1996] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D006C
.text C:\WINDOWS\system32\svchost.exe[2032] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[2032] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\svchost.exe[2032] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\system32\svchost.exe[2032] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\system32\svchost.exe[2032] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\system32\svchost.exe[2032] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\system32\svchost.exe[2032] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\system32\svchost.exe[2032] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\System32\svchost.exe[2324] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\svchost.exe[2324] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
.text C:\WINDOWS\System32\svchost.exe[2324] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
.text C:\WINDOWS\System32\svchost.exe[2324] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
.text C:\WINDOWS\System32\svchost.exe[2324] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
.text C:\WINDOWS\System32\svchost.exe[2324] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
.text C:\WINDOWS\System32\svchost.exe[2324] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
.text C:\WINDOWS\System32\svchost.exe[2324] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
.text C:\WINDOWS\System32\alg.exe[3068] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\alg.exe[3068] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\alg.exe[3068] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B00E4
.text C:\WINDOWS\System32\alg.exe[3068] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0120
.text C:\WINDOWS\System32\alg.exe[3068] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B00A8
.text C:\WINDOWS\System32\alg.exe[3068] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B0030
.text C:\WINDOWS\System32\alg.exe[3068] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B006C
.text C:\WINDOWS\System32\alg.exe[3068] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C01D4
.text C:\WINDOWS\System32\alg.exe[3068] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C00E4
.text C:\WINDOWS\System32\alg.exe[3068] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0120
.text C:\WINDOWS\System32\alg.exe[3068] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C015C
.text C:\WINDOWS\System32\alg.exe[3068] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0198
.text C:\WINDOWS\System32\alg.exe[3068] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C0030
.text C:\WINDOWS\System32\alg.exe[3068] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C006C
.text C:\WINDOWS\System32\alg.exe[3068] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C00A8
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00140030
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0014006C
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003900E4
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390120
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003900A8
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00390030
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0039006C
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A01D4
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A00E4
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0120
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A015C
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0198
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A0030
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A006C
.text C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe[3076] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A00A8

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[628] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005F0002
IAT C:\WINDOWS\system32\services.exe[628] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005F0000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows ® 2000 DDK provider)
AttachedDevice \FileSystem\Ntfs \Ntfs sisidex.sys (SISIDEX Driver/Windows ® 2000 DDK provider)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

Device \FileSystem\Fastfat \Fat B0B5ED20

AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (SISIDEX Driver/Windows ® 2000 DDK provider)
AttachedDevice \FileSystem\Fastfat \Fat sisidex.sys (SISIDEX Driver/Windows ® 2000 DDK provider)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Deskjet F4200 series@ChangeID 570453

---- EOF - GMER 1.0.15 ----

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:43 AM

Posted 28 March 2011 - 04:23 PM

Can you please update MBAM and rerun your scan?

#6 mr benn

mr benn
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 AM

Posted 29 March 2011 - 04:51 AM

Dan - Are you saying re-run it because the version was out of date - or because I need to rerun it again anyway ?
I was sure I updated Malware Bytes before I ran it ? Just looked at the version on the official site and its 1.50.1. like mine (though next set of digits may have incrimented).

Also, can you please just confrim that i run it in normal mode, and do I have to disable my Avast and Windows firewall ?

Thanks for your help.

#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:43 AM

Posted 29 March 2011 - 04:53 AM

Yes re-run it after you get the latest definitions update for mbam. You dont have to disable anything.

#8 mr benn

mr benn
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 AM

Posted 30 March 2011 - 01:55 PM

I have ran Malwarebytes having updated it first - and it has found no errors. (see below)

What is even more concerning now though is since running GMER and Super Anti-Software in my last post, my pc is now taking ages to boot up each time - several minutes instead of one minute at the most, and generally seems slow.

I have even tried to do a System Resore, but that failed (no error message , it just took ages to run , then said no files restored - and restore was unable to complete or something).

My menu's are still incomplete. And Ive also realised I cant print for some reason.


Malwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.org

Database version: 6215

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

30/03/2011 19:05:40
mbam-log-2011-03-30 (19-05-40).txt

Scan type: Full scan (C:\|)
Objects scanned: 293806
Time elapsed: 4 hour(s), 26 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by mr benn, 30 March 2011 - 01:57 PM.


#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:43 AM

Posted 30 March 2011 - 01:58 PM

Can you post the GMER and Super Anti-Spyware logs if you redid those?

Please perform the following, so that we can get the exact specs of your computer. This will better assist us in helping you more.

Publish a Snapshot using Speccy

The below is for those who cannot get online

Please take caution when attaching a text file to your post if you cannot copy/paste the link to your post, you will need to edit it to make sure that your Windows Key is not present.

#10 mr benn

mr benn
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 AM

Posted 30 March 2011 - 02:11 PM

No , sorry , I didnt mean to say I had re-ran GMER and Ant-spyware. It just seemed to slow down since (maybe co-incidence I know).

Here is the Speccy results of my PatriotPT2980

http://speccy.piriform.com/results/FArqFRO9ypHqWXpMLt01u3y



Something is badly wrong with my pc becuase if I try and even play a video stored on my pc it is just breaking up as playing so slow.

Edited by mr benn, 30 March 2011 - 02:17 PM.


#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:43 AM

Posted 30 March 2011 - 02:26 PM

have you updated drivers?

#12 mr benn

mr benn
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 AM

Posted 30 March 2011 - 03:33 PM

Sorry , what drivers ? Not sure what the relevance to my issue is ?... thanks.

If I try and play a video file its very slow and broke up - but if I go back to the start of it ,it then plays okay up to the point I pressed rewind - if that helps.Same with a sound recording.

The internet appears to function okay.

When I boot up the pc it now takes gaes to boot up - it now takes ages to get past the the 'Windows XP ' screen - the blue bars keep moving , but takes ages to load.

Not sure if my menu issue and this 'new' speed issue is related.

Edited by mr benn, 31 March 2011 - 12:43 PM.


#13 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:43 AM

Posted 01 April 2011 - 05:28 PM

Have you visited the manufactures site of your lap top to get updated drivers for your hardware like the chipset?

#14 o0luigi0o

o0luigi0o

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:43 AM

Posted 01 April 2011 - 05:54 PM

this is a new virus, im assuming rootkit. but, i've had two pcs so far lose their start menus, and a constant google redirect in ie and firefox. mbytes, combofix, and superanti dont detect it yet.

#15 mr benn

mr benn
  • Topic Starter

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:43 AM

Posted 02 April 2011 - 04:03 AM

In the other instances of this 'virus' , did it affect the speed of how the pc boots up ? That didnt seem to happen straight away. Im wondering if its more of a memory / processor issue , as playing videos seems to struggle as well at the moment.

If I could find a website for the drivers I would try them - not sure how thats linked to my current issue - but willing to learn.

Im beginning to hedge towards taking the hint that its time to upgrade my pc , or buy a new one anyway. As Ive had this 7 years or so. Pentium 4 and 1.5 gig of Ram.

Thanks for any help

Edited by mr benn, 02 April 2011 - 05:15 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users