Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown backdoor trojan, redirects searches.


  • This topic is locked This topic is locked
2 replies to this topic

#1 ShadowFiend

ShadowFiend

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:04 PM

Posted 05 January 2012 - 09:16 PM

Alright, so I've got this trojan on my Virtual machine that I'm unable to remove.
Here's some symptoms of the trojan:
Redirects my google searches
Opens 2 Internet explorer from the parent process c:\windows\system32\svchost.exe
Connects to random site with IE command line "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "random site"
And the other IE process' command line is "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:(4 random number) CREDAT:14337
Closes and reopens the IE process every few minutes to connect to other site and connects to multiple tcp/ip.
It injected code into c:\windows\explorer.exe, c:\windows\system32\winlogon.exe and c:\windows\system32\svchost.exe (virustotal detected them 5/43)
Keeps creating tmp files in C:\Documents and Settings\All Users\Application Data. When i open these files, it looks like a .job file.

I need ideas on how to remove this. I am not a beginner in malware removal. I tried many things and nothing helped.


Here are my logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 20:35:42 on 2012-01-05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.247 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\procexp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VMware Tools] "c:\program files\vmware\vmware tools\VMwareTray.exe"
mRun: [VMware User Process] "c:\program files\vmware\vmware tools\VMwareUser.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1325796012046
TCP: DhcpNameServer = 192.168.189.2
TCP: Interfaces\{9B168298-2E9A-4173-9F66-F79100935FE8} : DhcpNameServer = 192.168.189.2
Notify: TPSvc - TPSvc.dll
Notify: VMUpgradeAtShutdown - VMUpgradeAtShutdownWXP.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\of5t4z0m.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3063386&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?AF=108601&babsrc=adbartrp&mntrId=4055a66a000000000000000c29ddfde2&q=
FF - prefs.js: network.proxy.type - 4
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.ovrDmn - isearch.babylon.com
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=108601
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - 4055a66a000000000000000c29ddfde2
FF - user.js: extensions.BabylonToolbar_i.hardId - 4055a66a000000000000000c29ddfde2
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15341
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1720:50:12
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
============= SERVICES / DRIVERS ===============
.
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2011-11-10 17968]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-11-12 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-11-12 314456]
R1 vmdebug;VMware Replay Debugging Helper;c:\windows\system32\drivers\vmdebug.sys [2011-3-25 23152]
R1 vmhgfs;vmhgfs;c:\windows\system32\drivers\vmhgfs.sys [2011-11-11 129392]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-11-12 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-11-12 44768]
R2 VMMEMCTL;Memory Control Driver;c:\program files\vmware\vmware tools\drivers\memctl\vmmemctl.sys [2011-3-25 14448]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2011-11-23 131856]
R3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys [2011-11-11 61872]
R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2011-11-10 11440]
R3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [2011-11-11 28080]
R3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [2011-11-11 36912]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130560]
S3 RegGuard;RegGuard;\??\c:\windows\system32\drivers\regguard.sys --> c:\windows\system32\drivers\regguard.sys [?]
S3 TPAutoConnSvc;TP AutoConnect Service;c:\program files\vmware\vmware tools\TPAutoConnSvc.exe [2011-3-25 255304]
S3 TPVCGateway;TP VC Gateway Service;c:\program files\vmware\vmware tools\TPVCGateway.exe [2011-3-25 393216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753664]
.
=============== Created Last 30 ================
.
2012-01-06 00:29:54 817 ----a-w- c:\documents and settings\all users\application data\zienaaa.tmp
2012-01-05 21:52:15 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2012-01-05 21:44:45 -------- d-----w- c:\windows\ie8updates
2012-01-05 21:43:46 -------- dc-h--w- c:\windows\ie8
2012-01-05 21:43:26 -------- d--h--w- c:\windows\msdownld.tmp
2012-01-05 21:40:52 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-01-05 21:40:52 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-01-05 21:40:51 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-01-05 21:40:51 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-01-05 21:40:50 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-01-05 21:40:50 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-01-05 21:40:48 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2012-01-05 21:09:43 -------- d-----w- c:\windows\system32\CatRoot_bak
2012-01-05 20:49:09 272128 ------w- c:\windows\system32\drivers\bthport.sys
2012-01-05 20:48:15 -------- d-----w- c:\windows\system32\PreInstall
2012-01-05 20:48:13 -------- d--h--w- c:\windows\$hf_mig$
2012-01-05 20:40:27 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-01-05 20:40:19 -------- d-----w- c:\windows\system32\SoftwareDistribution
2012-01-04 23:46:32 1057280 ----a-w- c:\windows\explorer.exe
2012-01-04 21:36:25 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2012-01-04 21:36:22 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2012-01-04 21:36:19 17408 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2012-01-04 21:36:16 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2012-01-04 21:36:13 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2012-01-04 21:34:58 25471 -c--a-w- c:\windows\system32\dllcache\watv10nt.sys
2012-01-04 21:33:58 224802 -c--a-w- c:\windows\system32\dllcache\usr1807a.sys
2012-01-04 21:32:57 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2012-01-04 21:31:59 30464 -c--a-w- c:\windows\system32\dllcache\tbatm155.sys
2012-01-04 21:30:57 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2012-01-04 21:29:59 45568 -c--a-w- c:\windows\system32\dllcache\smb3w.dll
2012-01-04 21:28:58 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2012-01-04 21:27:59 82432 -c--a-w- c:\windows\system32\dllcache\rwia450.dll
2012-01-04 21:26:57 33152 -c--a-w- c:\windows\system32\dllcache\ql10wnt.sys
2012-01-04 21:25:58 27296 -c--a-w- c:\windows\system32\dllcache\perc2.sys
2012-01-04 21:24:57 1897408 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys
2012-01-04 21:23:59 13664 -c--a-w- c:\windows\system32\dllcache\n9i128.sys
2012-01-04 21:22:56 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2012-01-04 21:21:58 606684 -c--a-w- c:\windows\system32\dllcache\ltmdmnt.sys
2012-01-04 21:20:58 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2012-01-04 21:19:59 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys
2012-01-04 21:18:59 289887 -c--a-w- c:\windows\system32\dllcache\hsf_fall.sys
2012-01-04 21:17:58 470144 -c--a-w- c:\windows\system32\dllcache\g200d.dll
2012-01-04 21:16:58 72192 -c--a-w- c:\windows\system32\dllcache\es1969.sys
2012-01-04 21:15:59 37962 -c--a-w- c:\windows\system32\dllcache\divaprop.dll
2012-01-04 21:14:59 249856 -c--a-w- c:\windows\system32\dllcache\ctmasetp.dll
2012-01-04 21:13:59 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll
2012-01-04 21:12:59 37376 -c--a-w- c:\windows\system32\dllcache\atievxx.exe
2012-01-04 21:11:55 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2012-01-04 21:10:54 46592 ----a-w- c:\windows\system32\dllcache\coadmin.dll
2012-01-04 21:10:53 188480 ----a-w- c:\windows\system32\dllcache\cfgwiz.exe
2012-01-04 21:10:51 20540 ----a-w- c:\windows\system32\dllcache\author.dll
2012-01-04 21:10:51 16439 ----a-w- c:\windows\system32\dllcache\author.exe
2012-01-04 21:10:48 43520 ----a-w- c:\windows\system32\dllcache\admwprox.dll
2012-01-04 21:10:48 290816 ----a-w- c:\windows\system32\dllcache\adsiis51.dll
2012-01-04 21:10:46 20540 ----a-w- c:\windows\system32\dllcache\admin.dll
2012-01-04 21:10:46 16439 ----a-w- c:\windows\system32\dllcache\admin.exe
2012-01-04 19:38:20 539136 ----a-w- c:\windows\system32\winlogon.exe
2012-01-02 20:56:48 -------- d-----w- c:\documents and settings\administrator\local settings\application data\NVIDIA Corporation
2012-01-02 20:52:35 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-02 20:52:35 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-02 20:52:34 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-02 20:52:34 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-02 19:00:42 -------- d-sha-r- C:\cmdcons
2012-01-02 18:52:17 98816 ----a-w- c:\windows\sed.exe
2012-01-02 18:52:17 518144 ----a-w- c:\windows\SWREG.exe
2012-01-02 18:52:17 256000 ----a-w- c:\windows\PEV.exe
2012-01-02 18:52:17 208896 ----a-w- c:\windows\MBR.exe
2012-01-02 00:49:57 -------- d-----w- c:\documents and settings\administrator\application data\Babylon
2011-12-28 20:30:10 -------- d-----w- c:\program files\common files\Bitdefender
2011-12-26 21:21:37 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Opera
2011-12-26 21:17:29 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Google
2011-12-21 22:06:25 64896 -c--a-w- c:\windows\system32\dllcache\serial.sys
2011-12-21 22:06:25 64896 ----a-w- c:\windows\system32\drivers\serial.sys
2011-12-21 19:36:43 -------- d-----r- C:\Sandbox
2011-12-21 19:36:16 -------- d-----w- c:\program files\Sandboxie
2011-12-20 00:58:54 -------- d-----w- c:\documents and settings\administrator\local settings\application data\QuickWebServ
2011-12-18 00:59:53 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2011-12-13 18:40:37 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Help
2011-12-13 18:23:15 2 --shatr- c:\windows\winstart.bat
2011-12-13 18:23:09 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2011-12-13 01:15:30 177664 ----a-w- c:\windows\system32\DiskSerial.dll
2011-12-11 23:17:45 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-12-11 23:08:42 -------- d-----w- c:\documents and settings\administrator\application data\TeamViewer
2011-12-11 23:08:30 -------- d-----w- c:\program files\TeamViewer
2011-12-09 16:05:12 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Adobe
2011-12-09 16:00:42 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Identities
2011-12-09 15:59:13 306688 ----a-w- c:\windows\IsUninst.exe
.
==================== Find3M ====================
.
2011-12-21 21:41:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-13 18:46:32 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-12-13 18:17:58 129392 ----a-w- c:\windows\system32\drivers\vmhgfs.sys
2011-12-10 19:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-05 21:42:40 51712 ----a-w- c:\windows\system32\migpwd.exe
2011-12-05 21:42:40 295424 ----a-w- c:\windows\system32\PresentationHost.exe
2011-12-05 21:42:39 20480 ----a-w- c:\windows\system32\cliconfg.exe
2011-12-03 00:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-11-28 18:01:25 41184 ----a-w- c:\windows\avastSS.scr
2011-11-28 17:53:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
.
============= FINISH: 20:37:39.96 ===============




Gmer log:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-05 19:01:07
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Scsi\vmscsi1Port2Path0Target0Lun0 VMware,_ rev.1.0_
Running: k81ccelc.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\agpyapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xB2B5BFC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xB2BE8510]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xB2B7F6A9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xB2B5E456]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xB2B5E4AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xB2B5E5C4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xB2B7F05D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xB2B5E3AC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xB2B5E4FE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xB2B5E400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xB2B5E572]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xB2B5BFE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xB2B7FD6F]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xB2B80025]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xB2B5E848]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB2B7FBDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB2B7FA45]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xB2BE85C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xB2B5BDB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xB2B5C00C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xB2B5E9BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xB2B5CAA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xB2B5E486]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xB2B5E4D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xB2B5E5EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xB2B7F3B9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xB2B5E3D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xB2B5E680]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xB2B5E53E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xB2B5E42E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xB2B5E764]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xB2B5E59C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xB2BE8658]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xB2B7F8C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xB2B5C96A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xB2B7F712]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB2BF09E6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xB2B7E6D0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xB2B5C030]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xB2B5C054]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xB2B5BE0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xB2B5BF48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xB2B7FE76]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xB2B5BF24]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xB2B5BF6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xB2B5C078]

Code F8DA6C9C ZwRequestPort
Code F8DA6D3C ZwRequestWaitReplyPort
Code F8DA6BFC ZwTraceEvent
Code F8DA6C9B NtRequestPort
Code F8DA6D3B NtRequestWaitReplyPort
Code F8DA6BFB NtTraceEvent

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2420 80501124 4 Bytes CALL AD02C6E8
.text ntkrnlpa.exe!ZwCallbackReturn + 243C 80501140 4 Bytes CALL 98F6C3FA
.text ntkrnlpa.exe!ZwCallbackReturn + 24E8 805011EC 8 Bytes [BC, E9, B5, B2, A4, CA, B5, ...] {MOV ESP, 0xa4b2b5e9; RETF 0xb2b5}
.text ntkrnlpa.exe!NtTraceEvent 805309E4 5 Bytes JMP F8DA6C00
PAGE ntkrnlpa.exe!NtRequestPort 805968B4 5 Bytes JMP F8DA6CA0
PAGE ntkrnlpa.exe!NtRequestWaitReplyPort 80596BE0 5 Bytes JMP F8DA6D40
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 8059A312 4 Bytes CALL B2B5D00F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngAcquireSemaphore + 16AA BF808524 5 Bytes JMP F8DA6480
.text win32k.sys!EngFreeUserMem + 423C BF80F617 5 Bytes JMP F8DA63E0
.text win32k.sys!EngBitBlt + 92C BF827A40 5 Bytes JMP F8DA65C0
.text win32k.sys!EngLockSurface + 153C BF82FE58 5 Bytes JMP F8DA6700
.text win32k.sys!EngUnmapFontFileFD + 112EA BF843888 5 Bytes JMP F8DA6A20
.text win32k.sys!EngMulDiv + 5509 BF849B03 5 Bytes JMP F8DA67A0
.text win32k.sys!EngStrokePath + 62A3 BF87FFC9 5 Bytes JMP B2B5EDE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + 632C BF880052 5 Bytes JMP B2B5EFBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + 70B0 BF880DD6 5 Bytes JMP F8DA68E0
.text win32k.sys!BRUSHOBJ_hGetColorTransform + AFDD BF89F83F 5 Bytes JMP B2B5EF76 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 4E4C BF8CEEE3 5 Bytes JMP F8DA6980
.text win32k.sys!FONTOBJ_pxoGetXform + 77D BF8FAF04 5 Bytes JMP F8DA6660
.text win32k.sys!FONTOBJ_pxoGetXform + 230B BF8FCA92 5 Bytes JMP F8DA6520
.text win32k.sys!PATHOBJ_vGetBounds + 58C BF908B12 5 Bytes JMP B2B5ED14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + 80C BF908D92 5 Bytes JMP B2B5ED4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 1993 BF911AD9 5 Bytes JMP F8DA6AC0
.text win32k.sys!EngCreateClip + 1F23 BF912069 5 Bytes JMP F8DA6B60
.text win32k.sys!EngCreateClip + 2567 BF9126AD 5 Bytes JMP F8DA6840
.text win32k.sys!EngCreateClip + 4EC1 BF915007 5 Bytes JMP B2B5F0D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\spoolsv.exe[280] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[280] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\VMware\VMware Tools\VMwareTray.exe[452] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\VMware\VMware Tools\VMwareTray.exe[452] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\VMware\VMware Tools\VMwareUser.exe[472] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\VMware\VMware Tools\VMwareUser.exe[472] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[484] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[484] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[492] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[492] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Sandboxie\SbieCtrl.exe[500] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Sandboxie\SbieCtrl.exe[500] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\System32\smss.exe[584] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[656] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[656] KERNEL32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[680] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000701F8
.text C:\WINDOWS\system32\winlogon.exe[680] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[680] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000703FC
.text C:\WINDOWS\system32\winlogon.exe[680] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[680] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\winlogon.exe[680] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\winlogon.exe[680] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\winlogon.exe[680] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\winlogon.exe[680] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\winlogon.exe[680] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\winlogon.exe[680] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\winlogon.exe[680] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\winlogon.exe[680] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\winlogon.exe[680] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\winlogon.exe[680] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\winlogon.exe[680] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\winlogon.exe[680] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[728] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\services.exe[728] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\services.exe[728] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\services.exe[728] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\services.exe[728] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\services.exe[728] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\services.exe[728] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\services.exe[728] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\lsass.exe[740] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\lsass.exe[740] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\lsass.exe[740] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\lsass.exe[740] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\lsass.exe[740] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\lsass.exe[740] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\lsass.exe[740] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[904] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[904] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[904] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 00664840
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[904] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[980] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[980] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[980] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[980] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[980] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000801F8
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000803FC
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\Program Files\Sandboxie\SbieSvc.exe[1092] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\System32\svchost.exe[1124] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[1256] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1256] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1256] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1256] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1256] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\locator.exe[1344] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\locator.exe[1344] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1396] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1396] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1396] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002A1014
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002A0804
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002A0A08
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002A0C0C
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002A0E10
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002A01F8
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002A03FC
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002A0600
.text C:\WINDOWS\system32\svchost.exe[1396] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1396] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1396] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1396] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1396] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002B0600
.text C:\WINDOWS\Explorer.EXE[1568] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 000901F8
.text C:\WINDOWS\Explorer.EXE[1568] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1568] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 000903FC
.text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 00B84840
.text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!SetServiceObjectSecurity 77E36BE1 5 Bytes JMP 002B1014
.text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!ChangeServiceConfigA 77E36CC9 5 Bytes JMP 002B0804
.text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!ChangeServiceConfigW 77E36E61 5 Bytes JMP 002B0A08
.text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!ChangeServiceConfig2A 77E36F61 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!ChangeServiceConfig2W 77E36FE9 5 Bytes JMP 002B0E10
.text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!CreateServiceA 77E37071 5 Bytes JMP 002B01F8
.text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!CreateServiceW 77E37209 5 Bytes JMP 002B03FC
.text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!DeleteService 77E37311 5 Bytes JMP 002B0600
.text C:\WINDOWS\Explorer.EXE[1568] USER32.dll!SetWinEventHook 77D6E3D3 5 Bytes JMP 002C01F8
.text C:\WINDOWS\Explorer.EXE[1568] USER32.dll!UnhookWinEvent 77D6E544 5 Bytes JMP 002C03FC
.text C:\WINDOWS\Explorer.EXE[1568] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 002C0804
.text C:\WINDOWS\Explorer.EXE[1568] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 002C0A08
.text C:\WINDOWS\Explorer.EXE[1568] USER32.dll!SetWindowsHookExA 77D702B2 5 Bytes JMP 002C0600
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1680] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1680] kernel32.dll!SetUnhandledExceptionFilter 7C810386 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1680] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[2132] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[2132] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Documents and Settings\Administrator\Desktop\k81ccelc.exe[2384] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Documents and Settings\Administrator\Desktop\k81ccelc.exe[2384] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[2936] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[2936] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 00144868
.text C:\Program Files\Internet Explorer\iexplore.exe[2936] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[2936] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2936] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2936] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2936] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2936] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2936] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2936] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2936] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2936] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\ctfmon.exe[3072] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[3072] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] kernel32.dll!CreateProcessInternalW 7C8191EB 5 Bytes JMP 00144868
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!CallNextHookEx 77D4ED6E 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!SetWindowsHookExW 77D6E621 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!UnhookWindowsHookEx 77D6F29F 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] ole32.dll!OleLoadFromStream 77518C62 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3084] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Documents and Settings\Administrator\Desktop\procexp.exe[3384] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Documents and Settings\Administrator\Desktop\procexp.exe[3384] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3640] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 016CB750 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3640] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3640] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4008] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4008] kernel32.dll!GetBinaryTypeW + 80 7C8678BC 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4008] USER32.dll!SetWindowLongA 77D4DED3 5 Bytes JMP 106C3A89 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4008] USER32.dll!SetWindowLongW 77D4DEF1 5 Bytes JMP 106C3A1B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4008] USER32.dll!GetWindowInfo 77D4F122 5 Bytes JMP 1046C909 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[4008] USER32.dll!TrackPopupMenu 77D94F16 5 Bytes JMP 1046CEBD C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\yienaaa.tmp 842 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 ShadowFiend

ShadowFiend
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:04 PM

Posted 06 January 2012 - 11:04 AM

Nvm fixed, I just booted with recovery console and replaced the infected svchost, explorer and winlogon.
Should have though of that before :/

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 AM

Posted 08 January 2012 - 04:45 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users