Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect virus problem. Win32.Sirefef-P variant


  • This topic is locked This topic is locked
28 replies to this topic

#1 beatmstrj

beatmstrj

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 03 April 2012 - 01:14 PM

A friends work computer has been infected with a virus of some sort. There are no typical malware popups but I was getting browser redirects and now I can't seem to get any network connectivity at all. When I try to run ipconfig it says "An internal error occured: The request is not supported" then "Additional information: Unable to query host name". Avast antivirus is installed and will occasionally pop up dialogs that say Win32.Sirefef-PL rootkit was detected and it needs to reboot to clean it. After a lengthy scan on reboot process it just comes back and Avast finds it again. Could definitely use the talents of this forum to help me out. Thanks in advance.

If its any help, i'm having the exact same symptoms as this poster:
http://www.bleepingcomputer.com/forums/topic447556.html

LOG:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Compaq_Owner at 19:06:00 on 2012-04-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.100 [GMT -7:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Browny02\Brother\BrStMonW.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Browny02\BrYNSvc.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uWindow Title = Internet Explorer, optimized for Bing and MSN
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [EzRServer] c:\program files\ezwatch pro 3.0 hd 3404hs\EzRServer.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ALCMTR] ALCMTR.EXE
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158429354745
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{6D0C2A73-42BA-4FBF-8F66-30143A39105E} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{80443072-5384-4D29-A197-604ECE8884D8} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
Filter: application/x-vcm8 - {560A62D2-E52E-4BC6-A88C-5E4651A2C1D1} - c:\progra~1\g7ps\versac~1\messen~1\VCMCON~1.OCX
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-3-28 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-3-28 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-3-28 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-3-28 44768]
R2 BT878;Witness 3404HS Video Device 0;c:\windows\system32\drivers\WITHS341.SYS [2006-9-8 255872]
R2 BT8782;Witness 3404HS Video Device 1;c:\windows\system32\drivers\WITHS342.SYS [2006-9-8 255872]
R2 BT8783;Witness 3404HS Video Device 2;c:\windows\system32\drivers\WITHS343.SYS [2006-9-8 255872]
R2 BT8784;Witness 3404HS Video Device 3;c:\windows\system32\drivers\WITHS344.SYS [2006-9-8 255872]
R2 BT8785;Witness 3404HS Video Device 4;c:\windows\system32\drivers\WITHS345.SYS [2006-9-8 255872]
R2 BT8786;Witness 3404HS Video Device 5;c:\windows\system32\drivers\WITHS346.SYS [2006-9-8 255872]
R2 BT8787;Witness 3404HS Video Device 6;c:\windows\system32\drivers\WITHS347.SYS [2006-9-8 255872]
R2 BT8788;Witness 3404HS Video Device 7;c:\windows\system32\drivers\WITHS348.SYS [2006-9-8 255872]
R3 Audio;Witness 3404HS Audio;c:\windows\system32\drivers\WithsAud.sys [2006-9-8 8021]
R3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2011-1-12 245760]
S2 NecUsb3;USB3 Service;c:\windows\system32\svchost.exe -k NecUsb3Sevic [2004-8-3 14336]
.
=============== Created Last 30 ================
.
2012-03-28 23:25:50 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-28 23:25:50 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2012-03-28 22:38:32 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-28 22:37:38 41184 ----a-w- c:\windows\avastSS.scr
2012-03-28 22:37:03 -------- d-----w- c:\program files\AVAST Software
2012-03-28 22:37:03 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-03-26 23:39:30 57344 ----a-w- c:\windows\system32\6to4v32.dll
2012-03-26 23:39:21 156672 ----a-w- c:\windows\system32\NEUSBw32.dll
2012-03-26 22:09:13 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
==================== Find3M ====================
.
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2004-08-04 04:00:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 -csh--w- c:\windows\twain_32.dll
2011-02-08 13:33:55 978944 -csh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 -csh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll
2010-12-20 17:32:15 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
============= FINISH: 19:06:55.60 ===============

Attached Files


Edited by beatmstrj, 03 April 2012 - 06:59 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:51 AM

Posted 09 April 2012 - 06:51 AM

Hi,

Hi,

you have been infected by a nasty rootkit. It is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you decide to clean, then please run ComboFix and post the log in your next reply:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 beatmstrj

beatmstrj
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 09 April 2012 - 01:09 PM

Here is my reply from Combofix. I wasn't able to install recovery console because there is no internet connection but I ran the scan anyway. It ran saying I was infected with "ZeroAccess" rootkit and needed to reboot. It rebooted and ran the scan again, but doesn't look like it has fixed the problem.


ComboFix 12-04-09.02 - Compaq_Owner 04/09/2012 10:17:57.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.164 [GMT -7:00]
Running from: e:\virus tools\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Compaq_Owner\My Documents\avast_free_antivirus_setup.exe
c:\documents and settings\Compaq_Owner\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\windows\$NtUninstallKB62280$\1784893374
c:\windows\$NtUninstallKB62280$\485945278\@
c:\windows\$NtUninstallKB62280$\485945278\cfg.ini
c:\windows\$NtUninstallKB62280$\485945278\Desktop.ini
c:\windows\$NtUninstallKB62280$\485945278\L\bfhdmwap
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\protectedstorage.dll
c:\windows\system32\SET99.tmp
c:\windows\system32\SET9E.tmp
D:\Autorun.inf
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :)
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\system32\dllcache\afd.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_6to4
-------\Legacy_licensemanagersocket
-------\Service_licensemanagersocket
.
.
((((((((((((((((((((((((( Files Created from 2012-03-09 to 2012-04-09 )))))))))))))))))))))))))))))))
.
.
2012-04-04 01:25 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-03 21:19 . 2004-08-17 19:00 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-04-03 21:19 . 2004-08-17 19:00 74752 ----a-w- c:\windows\system32\dllcache\ipsec.sys
2012-03-31 00:41 . 2012-03-31 00:43 -------- d-----w- c:\documents and settings\Administrator
2012-03-28 23:25 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-28 23:25 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2012-03-28 22:38 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-28 22:38 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-28 22:38 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-28 22:38 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-28 22:38 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-28 22:38 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-28 22:38 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-28 22:38 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-03-28 22:37 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-03-28 22:37 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-28 22:37 . 2012-03-28 22:37 -------- d-----w- c:\program files\AVAST Software
2012-03-28 22:37 . 2012-03-28 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-26 23:39 . 2012-03-28 02:31 57344 ----a-w- c:\windows\system32\6to4v32.dll
2012-03-26 23:39 . 2012-03-26 23:39 156672 ----a-w- c:\windows\system32\NEUSBw32.dll
2012-03-26 22:12 . 2012-03-26 22:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 2004-08-04 04:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 03:05 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2004-08-04 04:00 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2004-08-04 04:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 -csh--w- c:\windows\twain_32.dll
2011-02-08 13:33 978944 -csh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 57344 -csh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343040 --sha-w- c:\windows\system32\msvcrt.dll
2010-12-20 17:32 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-02-10 2621440]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-19 27136]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-19 27136]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Pyramid\\TimeTrax\\Pyramid.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1201:TCP"= 1201:TCP:*:Disabled:EZWatchPro1201
"1001:TCP"= 1001:TCP:*:Disabled:EZWatchPro1001
"1901:TCP"= 1901:TCP:*:Disabled:EZWatchPro1901
"8000:TCP"= 8000:TCP:*:Disabled:EZWatchPro8000
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/28/2012 3:38 PM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/28/2012 3:38 PM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/28/2012 3:38 PM 20696]
R2 BT878;Witness 3404HS Video Device 0;c:\windows\system32\drivers\WITHS341.SYS [9/8/2006 3:36 PM 255872]
R2 BT8782;Witness 3404HS Video Device 1;c:\windows\system32\drivers\WITHS342.SYS [9/8/2006 3:36 PM 255872]
R2 BT8783;Witness 3404HS Video Device 2;c:\windows\system32\drivers\WITHS343.SYS [9/8/2006 3:36 PM 255872]
R2 BT8784;Witness 3404HS Video Device 3;c:\windows\system32\drivers\WITHS344.SYS [9/8/2006 3:36 PM 255872]
R2 BT8785;Witness 3404HS Video Device 4;c:\windows\system32\drivers\WITHS345.SYS [9/8/2006 3:36 PM 255872]
R2 BT8786;Witness 3404HS Video Device 5;c:\windows\system32\drivers\WITHS346.SYS [9/8/2006 3:36 PM 255872]
R2 BT8787;Witness 3404HS Video Device 6;c:\windows\system32\drivers\WITHS347.SYS [9/8/2006 3:36 PM 255872]
R2 BT8788;Witness 3404HS Video Device 7;c:\windows\system32\drivers\WITHS348.SYS [9/8/2006 3:36 PM 255872]
R3 Audio;Witness 3404HS Audio;c:\windows\system32\drivers\WithsAud.sys [9/8/2006 3:36 PM 8021]
R3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [1/12/2011 6:50 PM 245760]
S2 NecUsb3;USB3 Service;c:\windows\System32\svchost.exe -k NecUsb3Sevic [8/3/2004 9:00 PM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
licensemanagersocket
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-01 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]
.
2012-03-01 c:\windows\Tasks\Disk Defragmenter.job
- c:\windows\system32\dfrg.msc [2004-08-04 04:00]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.1
Filter: application/x-vcm8 - {560A62D2-E52E-4BC6-A88C-5E4651A2C1D1} - c:\progra~1\G7PS\VERSAC~1\MESSEN~1\VCMCON~1.OCX
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-EzRServer - c:\program files\EZWatch Pro 3.0 HD 3404HS\EzRServer.exe
HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
AddRemove-CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1 - c:\program files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1\HXFSETUP.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-03 18:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB62280$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(448)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3628)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Netscape Internet Service\ncupdatesvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Brother\ControlCenter3\brccMCtl.exe
.
**************************************************************************
.
Completion time: 2012-04-09 10:36:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-09 10:36
.
Pre-Run: 177,399,050,240 bytes free
Post-Run: 177,725,739,008 bytes free
.
- - End Of File - - 6FD874A91DDA5F894A2DFA56C58D888D

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:51 AM

Posted 09 April 2012 - 03:20 PM

Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/topic448719.html
ADS::
Collect::[100]
c:\windows\system32\NEUSBw32.dll

Netsvc::
licensemanagersocket

registry::
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsb3Sevic=-

Driver::
NecUsb3

Save this as CFScript.txt


Posted Image


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Edited by myrti, 09 April 2012 - 03:20 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 beatmstrj

beatmstrj
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 09 April 2012 - 07:15 PM

Here is the log from ComboFix after running it with the script you provided.

Notes:
- While copying the script to my USB key, the combofix I ran previously was detected as a virus by the Symantec virus protection I have installed on my other computer. The file was quarantined as "TROJAN.ADH.2". I downloaded a new copy of Combofix before proceeding.
- I was not able to upload the files for further processing to combofix because this computer cannot currently connect to the internet, however I did a manual upload of the zip file using the generated CFSUBMIT.htm file on my other computer.


LOG:
ComboFix 12-04-09.05 - Compaq_Owner 04/09/2012 16:10:40.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.177 [GMT -7:00]
Running from: e:\virus tools\ComboFix.exe
Command switches used :: e:\virus tools\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
file zipped: c:\windows\system32\NEUSBw32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\NEUSBw32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NECUSB3
-------\Service_NecUsb3
.
.
((((((((((((((((((((((((( Files Created from 2012-03-09 to 2012-04-09 )))))))))))))))))))))))))))))))
.
.
2012-04-04 01:25 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-04 01:25 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\dllcache\afd.sys
2012-04-03 21:19 . 2004-08-17 19:00 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-04-03 21:19 . 2004-08-17 19:00 74752 ----a-w- c:\windows\system32\dllcache\ipsec.sys
2012-03-31 00:41 . 2012-03-31 00:43 -------- d-----w- c:\documents and settings\Administrator
2012-03-28 23:25 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-28 23:25 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2012-03-28 22:38 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-28 22:38 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-28 22:38 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-28 22:38 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-28 22:38 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-28 22:38 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-28 22:38 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-28 22:38 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-03-28 22:37 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-03-28 22:37 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-28 22:37 . 2012-03-28 22:37 -------- d-----w- c:\program files\AVAST Software
2012-03-28 22:37 . 2012-03-28 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-26 23:39 . 2012-03-28 02:31 57344 ----a-w- c:\windows\system32\6to4v32.dll
2012-03-26 22:12 . 2012-03-26 22:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 2004-08-04 04:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 03:05 3072 ------w- c:\windows\system32\iacenc.dll
2004-08-04 04:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 -csh--w- c:\windows\twain_32.dll
2011-02-08 13:33 978944 -csh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 57344 -csh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll
2010-12-20 17:32 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-02-10 2621440]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-19 27136]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-19 27136]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Pyramid\\TimeTrax\\Pyramid.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1201:TCP"= 1201:TCP:*:Disabled:EZWatchPro1201
"1001:TCP"= 1001:TCP:*:Disabled:EZWatchPro1001
"1901:TCP"= 1901:TCP:*:Disabled:EZWatchPro1901
"8000:TCP"= 8000:TCP:*:Disabled:EZWatchPro8000
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/28/2012 3:38 PM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/28/2012 3:38 PM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/28/2012 3:38 PM 20696]
R2 BT878;Witness 3404HS Video Device 0;c:\windows\system32\drivers\WITHS341.SYS [9/8/2006 3:36 PM 255872]
R2 BT8782;Witness 3404HS Video Device 1;c:\windows\system32\drivers\WITHS342.SYS [9/8/2006 3:36 PM 255872]
R2 BT8783;Witness 3404HS Video Device 2;c:\windows\system32\drivers\WITHS343.SYS [9/8/2006 3:36 PM 255872]
R2 BT8784;Witness 3404HS Video Device 3;c:\windows\system32\drivers\WITHS344.SYS [9/8/2006 3:36 PM 255872]
R2 BT8785;Witness 3404HS Video Device 4;c:\windows\system32\drivers\WITHS345.SYS [9/8/2006 3:36 PM 255872]
R2 BT8786;Witness 3404HS Video Device 5;c:\windows\system32\drivers\WITHS346.SYS [9/8/2006 3:36 PM 255872]
R2 BT8787;Witness 3404HS Video Device 6;c:\windows\system32\drivers\WITHS347.SYS [9/8/2006 3:36 PM 255872]
R2 BT8788;Witness 3404HS Video Device 7;c:\windows\system32\drivers\WITHS348.SYS [9/8/2006 3:36 PM 255872]
R3 Audio;Witness 3404HS Audio;c:\windows\system32\drivers\WithsAud.sys [9/8/2006 3:36 PM 8021]
R3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [1/12/2011 6:50 PM 245760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-01 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]
.
2012-03-01 c:\windows\Tasks\Disk Defragmenter.job
- c:\windows\system32\dfrg.msc [2004-08-04 04:00]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.1
Filter: application/x-vcm8 - {560A62D2-E52E-4BC6-A88C-5E4651A2C1D1} - c:\progra~1\G7PS\VERSAC~1\MESSEN~1\VCMCON~1.OCX
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-09 16:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(448)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3880)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Netscape Internet Service\ncupdatesvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\Brother\ControlCenter3\brccMCtl.exe
.
**************************************************************************
.
Completion time: 2012-04-09 16:59:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-09 23:59
ComboFix2.txt 2012-04-04 01:36
.
Pre-Run: 177,676,406,784 bytes free
Post-Run: 177,811,312,640 bytes free
.
- - End Of File - - 83F49CF60FC209E50E30931779A3BA1A

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:51 AM

Posted 10 April 2012 - 07:20 AM

Hi,

did you at any time get detections from symantec on the zip-file? Did Symantec block it? It seems broken.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 beatmstrj

beatmstrj
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 10 April 2012 - 01:08 PM

Looks like the file was bad on my end too. I recopied the file and tested it and it seems to be working this time. No viruses found during scan. I resent the file for evaluation.

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:51 AM

Posted 10 April 2012 - 07:47 PM

Hi,

I have received the file thanks. Does NecUSB ring a bell? Did you ever install something by that name?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 beatmstrj

beatmstrj
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 11 April 2012 - 12:16 PM

The only external devices on this machine are

- Brother printer
- Rocketfish wireless mouse/keyboard
- Envision monitor
- Western Digital external HD

There are also two add on cards used for video capture from a surveillance system. So I don't recall anything specific to NEC.

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:51 AM

Posted 12 April 2012 - 05:00 AM

Hi,

ok,that's what I thought. The file isn't detected as malicious by most scanners, but I think it's not legit either. Let's try to remove the leftovers again:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\6to4v32.dll

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsb3Sevic =-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

how is the PC doing?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 beatmstrj

beatmstrj
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 12 April 2012 - 05:41 PM

Its hard to say how the computer is doing because it wasn't exhibiting any unusual behavior other than browser redirects. But since the internet is not working I can't really tell any more. The internet still does not work (in my research this seems like it might be due to an infected/corrupted ipsec.sys file). However, after running combofix this time around, it seems as though the CD-Rom drive is no longer disabled.

Here is the latest log.


ComboFix 12-04-12.03 - Compaq_Owner 04/12/2012 12:44:02.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.177 [GMT -7:00]
Running from: E:\ComboFix.exe
Command switches used :: E:\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-03-12 to 2012-04-12 )))))))))))))))))))))))))))))))
.
.
2012-04-04 01:25 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-04 01:25 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\dllcache\afd.sys
2012-04-03 21:19 . 2004-08-17 19:00 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-04-03 21:19 . 2004-08-17 19:00 74752 ----a-w- c:\windows\system32\dllcache\ipsec.sys
2012-03-31 00:41 . 2012-03-31 00:43 -------- d-----w- c:\documents and settings\Administrator
2012-03-28 23:25 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-28 23:25 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2012-03-28 22:38 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-28 22:38 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-28 22:38 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-28 22:38 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-28 22:38 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-28 22:38 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-28 22:38 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-28 22:38 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-03-28 22:37 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-03-28 22:37 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-28 22:37 . 2012-03-28 22:37 -------- d-----w- c:\program files\AVAST Software
2012-03-28 22:37 . 2012-03-28 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-26 23:39 . 2012-03-28 02:31 57344 ----a-w- c:\windows\system32\6to4v32.dll
2012-03-26 22:12 . 2012-03-26 22:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 2004-08-04 04:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2004-08-04 04:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 -csh--w- c:\windows\twain_32.dll
2011-02-08 13:33 978944 -csh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 57344 -csh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll
2010-12-20 17:32 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-02-10 2621440]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-19 27136]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-19 27136]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Pyramid\\TimeTrax\\Pyramid.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1201:TCP"= 1201:TCP:*:Disabled:EZWatchPro1201
"1001:TCP"= 1001:TCP:*:Disabled:EZWatchPro1001
"1901:TCP"= 1901:TCP:*:Disabled:EZWatchPro1901
"8000:TCP"= 8000:TCP:*:Disabled:EZWatchPro8000
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/28/2012 3:38 PM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/28/2012 3:38 PM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/28/2012 3:38 PM 20696]
R2 BT878;Witness 3404HS Video Device 0;c:\windows\system32\drivers\WITHS341.SYS [9/8/2006 3:36 PM 255872]
R2 BT8782;Witness 3404HS Video Device 1;c:\windows\system32\drivers\WITHS342.SYS [9/8/2006 3:36 PM 255872]
R2 BT8783;Witness 3404HS Video Device 2;c:\windows\system32\drivers\WITHS343.SYS [9/8/2006 3:36 PM 255872]
R2 BT8784;Witness 3404HS Video Device 3;c:\windows\system32\drivers\WITHS344.SYS [9/8/2006 3:36 PM 255872]
R2 BT8785;Witness 3404HS Video Device 4;c:\windows\system32\drivers\WITHS345.SYS [9/8/2006 3:36 PM 255872]
R2 BT8786;Witness 3404HS Video Device 5;c:\windows\system32\drivers\WITHS346.SYS [9/8/2006 3:36 PM 255872]
R2 BT8787;Witness 3404HS Video Device 6;c:\windows\system32\drivers\WITHS347.SYS [9/8/2006 3:36 PM 255872]
R2 BT8788;Witness 3404HS Video Device 7;c:\windows\system32\drivers\WITHS348.SYS [9/8/2006 3:36 PM 255872]
R3 Audio;Witness 3404HS Audio;c:\windows\system32\drivers\WithsAud.sys [9/8/2006 3:36 PM 8021]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [1/12/2011 6:50 PM 245760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-01 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]
.
2012-03-01 c:\windows\Tasks\Disk Defragmenter.job
- c:\windows\system32\dfrg.msc [2004-08-04 04:00]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.1
Filter: application/x-vcm8 - {560A62D2-E52E-4BC6-A88C-5E4651A2C1D1} - c:\progra~1\G7PS\VERSAC~1\MESSEN~1\VCMCON~1.OCX
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-12 12:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(448)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-04-12 12:53:03
ComboFix-quarantined-files.txt 2012-04-12 19:53
ComboFix2.txt 2012-04-09 23:59
ComboFix3.txt 2012-04-04 01:36
.
Pre-Run: 177,894,481,920 bytes free
Post-Run: 177,882,955,776 bytes free
.
- - End Of File - - 34DDBE037F99B6E23BC503BF168CB512

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:51 AM

Posted 13 April 2012 - 05:23 AM

Hi,

  • Please save the text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    NecUsb3Sevic=-
    
  • It should look like this ->Posted Image
  • Doubleclick fix.reg, when a window pops up and ask if this information should be merged, press Yes and ok.
Reboot and post a fresh combofix.txt log.


please run a scan with Farbar's Service Scanner next:
Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

regards myrti

Edited by myrti, 13 April 2012 - 05:23 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 beatmstrj

beatmstrj
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 13 April 2012 - 06:29 PM

Here are the latest logs. It should be noted that Combofix reports rootkit activity with each scan I've made so far (then it reboots and scans again).


ComboFix 12-04-12.03 - Compaq_Owner 04/13/2012 15:46:08.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.144 [GMT -7:00]
Running from: K:\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-13 to 2012-04-13 )))))))))))))))))))))))))))))))
.
.
2012-04-04 01:25 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-04-04 01:25 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\dllcache\afd.sys
2012-04-03 21:19 . 2004-08-17 19:00 74752 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-04-03 21:19 . 2004-08-17 19:00 74752 ----a-w- c:\windows\system32\dllcache\ipsec.sys
2012-03-31 00:41 . 2012-03-31 00:43 -------- d-----w- c:\documents and settings\Administrator
2012-03-28 23:25 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-28 23:25 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\dllcache\cdrom.sys
2012-03-28 22:38 . 2012-03-06 23:01 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-28 22:38 . 2012-03-06 23:03 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-28 22:38 . 2012-03-06 23:02 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-28 22:38 . 2012-03-06 23:01 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-28 22:38 . 2012-03-06 23:03 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-28 22:38 . 2012-03-06 23:01 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-28 22:38 . 2012-03-06 23:01 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-28 22:38 . 2012-03-06 22:58 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-03-28 22:37 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-03-28 22:37 . 2012-03-06 23:15 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-28 22:37 . 2012-03-28 22:37 -------- d-----w- c:\program files\AVAST Software
2012-03-28 22:37 . 2012-03-28 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-03-26 23:39 . 2012-03-28 02:31 57344 ----a-w- c:\windows\system32\6to4v32.dll
2012-03-26 22:12 . 2012-03-26 22:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 2004-08-04 04:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2004-08-04 04:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 -csh--w- c:\windows\twain_32.dll
2011-02-08 13:33 978944 -csh--w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 57344 -csh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll
2010-12-20 17:32 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-02-10 2621440]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-19 27136]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-5-19 27136]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Pyramid\\TimeTrax\\Pyramid.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1201:TCP"= 1201:TCP:*:Disabled:EZWatchPro1201
"1001:TCP"= 1001:TCP:*:Disabled:EZWatchPro1001
"1901:TCP"= 1901:TCP:*:Disabled:EZWatchPro1901
"8000:TCP"= 8000:TCP:*:Disabled:EZWatchPro8000
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/28/2012 3:38 PM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/28/2012 3:38 PM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/28/2012 3:38 PM 20696]
R2 BT878;Witness 3404HS Video Device 0;c:\windows\system32\drivers\WITHS341.SYS [9/8/2006 3:36 PM 255872]
R2 BT8782;Witness 3404HS Video Device 1;c:\windows\system32\drivers\WITHS342.SYS [9/8/2006 3:36 PM 255872]
R2 BT8783;Witness 3404HS Video Device 2;c:\windows\system32\drivers\WITHS343.SYS [9/8/2006 3:36 PM 255872]
R2 BT8784;Witness 3404HS Video Device 3;c:\windows\system32\drivers\WITHS344.SYS [9/8/2006 3:36 PM 255872]
R2 BT8785;Witness 3404HS Video Device 4;c:\windows\system32\drivers\WITHS345.SYS [9/8/2006 3:36 PM 255872]
R2 BT8786;Witness 3404HS Video Device 5;c:\windows\system32\drivers\WITHS346.SYS [9/8/2006 3:36 PM 255872]
R2 BT8787;Witness 3404HS Video Device 6;c:\windows\system32\drivers\WITHS347.SYS [9/8/2006 3:36 PM 255872]
R2 BT8788;Witness 3404HS Video Device 7;c:\windows\system32\drivers\WITHS348.SYS [9/8/2006 3:36 PM 255872]
R3 Audio;Witness 3404HS Audio;c:\windows\system32\drivers\WithsAud.sys [9/8/2006 3:36 PM 8021]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [1/12/2011 6:50 PM 245760]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
NecUsb3Sevic REG_MULTI_SZ NecUsb3
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-01 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]
.
2012-03-01 c:\windows\Tasks\Disk Defragmenter.job
- c:\windows\system32\dfrg.msc [2004-08-04 04:00]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
TCP: DhcpNameServer = 10.0.0.1
Filter: application/x-vcm8 - {560A62D2-E52E-4BC6-A88C-5E4651A2C1D1} - c:\progra~1\G7PS\VERSAC~1\MESSEN~1\VCMCON~1.OCX
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-13 15:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(448)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-04-13 15:55:11
ComboFix-quarantined-files.txt 2012-04-13 22:55
ComboFix2.txt 2012-04-12 19:53
ComboFix3.txt 2012-04-09 23:59
ComboFix4.txt 2012-04-04 01:36
.
Pre-Run: 177,928,372,224 bytes free
Post-Run: 177,912,422,400 bytes free
.
- - End Of File - - AD6BD03A167062620E3728AD1607BDB4

Farbar Service Scanner Version: 01-03-2012
Ran by Compaq_Owner (administrator) on 13-04-2012 at 16:26:10
Running from "K:\"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys
[2012-04-03 14:19] - [2004-08-17 12:00] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1

C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(6) IPSec(9) NetBT(10) PSched(7) Tcpip(3)
0x09000000090000000400000001000000020000000300000008000000050000000600000007000000


**** End of log ****

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:51 AM

Posted 14 April 2012 - 07:52 AM

Hi,

could you please run a scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 beatmstrj

beatmstrj
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:51 AM

Posted 14 April 2012 - 05:58 PM

Here is the log from GMER. GMER ran without any problems and did not detect any rootkit activity.


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-14 14:11:26
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7 SAMSUNG_SP2004C rev.VM100-38
Running: ytwtntjt.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\fgldapob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xF1577DF8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xF162CA5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xF157885E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xF15A4D5D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xF157D2E4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xF157D330]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xF157D422]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xF15A4711]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xF157D252]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xF157D374]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xF157D29A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xF157D3DC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xF1577E44]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xF15A5423]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xF15A56D9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xF157A9A8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xF15A528E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xF15A50F9]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xF162CB34]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xF1577AD6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xF1577E90]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xF157AD1C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xF1578B02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xF157D30E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xF157D352]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xF157D446]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xF15A4A6D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xF157D278]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xF157A518]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xF157D3AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xF157D2C2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xF157A74C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xF157D400]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xF162CCA0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xF15A4F74]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xF15789CE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xF15A4DC6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF1636B68]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xF15A3D84]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xF1577EDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xF1577F28]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xF1577B46]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xF1577CEA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xF15A552A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xF1577C92]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xF1577D5A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0xF162CD60]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xF1577F74]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0xF162CBE0]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 2 Bytes [22, D4] {AND DL, AH}
.text ntkrnlpa.exe!ZwCallbackReturn + 2DB8 80504654 2 Bytes [46, D4]
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64A8 4 Bytes CALL F157919F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFreeUserMem + 674 BF8098F2 5 Bytes JMP F157C180 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFreeUserMem + 35D0 BF80C84E 5 Bytes JMP F157C07C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSurface + 45 BF8138E6 5 Bytes JMP F157C036 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 11D3 BF81C550 5 Bytes JMP F157B724 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngSetLastError + 79A8 BF8240C0 5 Bytes JMP F157AF84 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + F9C BF828A2A 5 Bytes JMP F157C2EA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 2C50 BF831475 5 Bytes JMP F157C4F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + B68E BF839EB3 5 Bytes JMP F157BF3C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + 84ED BF851745 5 Bytes JMP F157AE66 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + F17 BF85BC6A 5 Bytes JMP F157B7E6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 3581 BF85E2D4 5 Bytes JMP F157B384 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 360C BF85E35F 5 Bytes JMP F157B562 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreatePalette + 88 BF85F5D2 5 Bytes JMP F157AE4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreatePalette + 5457 BF8649A1 5 Bytes JMP F157C0BA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 4128 BF873CF0 5 Bytes JMP F157B51C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetLastError + 1606 BF890FA2 5 Bytes JMP F157B7FE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 26EE BF89454D 5 Bytes JMP F157C232 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 583 BF895025 5 Bytes JMP F157C450 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 3857 BF89C3CB 5 Bytes JMP F157B70C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 4DEC BF89D960 5 Bytes JMP F157AFF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngEraseSurface + A9E0 BF8C1EE0 5 Bytes JMP F157B104 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1517 BF8CA342 5 Bytes JMP F157B1AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1797 BF8CA5C2 5 Bytes JMP F157B2E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + 3B3E BF8EC017 5 Bytes JMP F157AD52 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + CB3D BF8F5016 5 Bytes JMP F157B73C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 19DF BF913566 5 Bytes JMP F157AF22 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 25B3 BF91413A 5 Bytes JMP F157B0B0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4F2C BF916AB3 5 Bytes JMP F157B67C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 1940 BF946632 5 Bytes JMP F157C3A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\Ati2evxx.exe[136] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\Ati2evxx.exe[136] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\Ati2evxx.exe[136] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\Ati2evxx.exe[136] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\Ati2evxx.exe[136] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\Ati2evxx.exe[136] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\Ati2evxx.exe[136] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\Ati2evxx.exe[136] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\Ati2evxx.exe[136] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\Ati2evxx.exe[136] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\Ati2evxx.exe[136] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\Ati2evxx.exe[136] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\Ati2evxx.exe[136] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\Ati2evxx.exe[136] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\Ati2evxx.exe[136] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\Ati2evxx.exe[136] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\Ati2evxx.exe[136] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\WINDOWS\System32\smss.exe[372] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[420] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[420] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[448] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000701F8
.text C:\WINDOWS\system32\winlogon.exe[448] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[448] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000703FC
.text C:\WINDOWS\system32\winlogon.exe[448] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[448] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\winlogon.exe[448] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\winlogon.exe[448] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\winlogon.exe[448] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\winlogon.exe[448] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\winlogon.exe[448] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\winlogon.exe[448] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\winlogon.exe[448] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\winlogon.exe[448] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\winlogon.exe[448] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\winlogon.exe[448] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\winlogon.exe[448] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\winlogon.exe[448] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\services.exe[492] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\services.exe[492] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[492] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\services.exe[492] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[492] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\services.exe[492] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\services.exe[492] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\services.exe[492] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\services.exe[492] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\services.exe[492] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\services.exe[492] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\services.exe[492] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\services.exe[492] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\services.exe[492] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\services.exe[492] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\services.exe[492] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\services.exe[492] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\lsass.exe[504] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\lsass.exe[504] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[504] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\lsass.exe[504] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[504] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\lsass.exe[504] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\lsass.exe[504] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\lsass.exe[504] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\lsass.exe[504] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\lsass.exe[504] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\lsass.exe[504] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\lsass.exe[504] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\lsass.exe[504] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\lsass.exe[504] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\lsass.exe[504] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\lsass.exe[504] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\lsass.exe[504] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\Explorer.EXE[620] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\Explorer.EXE[620] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[620] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\Explorer.EXE[620] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[620] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\Explorer.EXE[620] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\Explorer.EXE[620] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\Explorer.EXE[620] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\Explorer.EXE[620] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\Explorer.EXE[620] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\Explorer.EXE[620] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\Explorer.EXE[620] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\WINDOWS\Explorer.EXE[620] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\WINDOWS\Explorer.EXE[620] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\WINDOWS\Explorer.EXE[620] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\WINDOWS\Explorer.EXE[620] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\WINDOWS\Explorer.EXE[620] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\Ati2evxx.exe[652] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\Ati2evxx.exe[652] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\Ati2evxx.exe[652] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\Ati2evxx.exe[652] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\Ati2evxx.exe[652] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\Ati2evxx.exe[652] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\Ati2evxx.exe[652] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\Ati2evxx.exe[652] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\Ati2evxx.exe[652] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\Ati2evxx.exe[652] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\Ati2evxx.exe[652] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\Ati2evxx.exe[652] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\Ati2evxx.exe[652] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\Ati2evxx.exe[652] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\Ati2evxx.exe[652] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\Ati2evxx.exe[652] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\Ati2evxx.exe[652] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\svchost.exe[668] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[668] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[668] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[668] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[668] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[668] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[668] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[668] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[668] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[744] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[744] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[744] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[744] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[744] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[744] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[744] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\System32\svchost.exe[784] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\svchost.exe[784] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[784] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\svchost.exe[784] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\svchost.exe[784] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\svchost.exe[784] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\System32\svchost.exe[784] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\System32\svchost.exe[784] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\System32\svchost.exe[784] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\System32\svchost.exe[784] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\svchost.exe[840] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[840] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[840] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[840] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[840] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[840] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[840] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[840] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[840] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[868] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[868] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\brsvc01a.exe[1000] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\brsvc01a.exe[1000] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\brsvc01a.exe[1000] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\brsvc01a.exe[1000] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\brsvc01a.exe[1000] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\brsvc01a.exe[1000] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\brsvc01a.exe[1000] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\brsvc01a.exe[1000] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\brsvc01a.exe[1000] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\brsvc01a.exe[1000] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\brsvc01a.exe[1000] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\brsvc01a.exe[1000] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\brsvc01a.exe[1000] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\brsvc01a.exe[1000] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\brsvc01a.exe[1000] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\brsvc01a.exe[1000] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\brsvc01a.exe[1000] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\brss01a.exe[1056] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\WINDOWS\system32\brss01a.exe[1056] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\brss01a.exe[1056] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\WINDOWS\system32\brss01a.exe[1056] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\brss01a.exe[1056] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
.text C:\WINDOWS\system32\brss01a.exe[1056] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
.text C:\WINDOWS\system32\brss01a.exe[1056] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
.text C:\WINDOWS\system32\brss01a.exe[1056] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
.text C:\WINDOWS\system32\brss01a.exe[1056] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
.text C:\WINDOWS\system32\brss01a.exe[1056] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\WINDOWS\system32\brss01a.exe[1056] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\WINDOWS\system32\brss01a.exe[1056] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\WINDOWS\system32\brss01a.exe[1056] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\WINDOWS\system32\brss01a.exe[1056] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\WINDOWS\system32\brss01a.exe[1056] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\WINDOWS\system32\brss01a.exe[1056] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\brss01a.exe[1056] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\spoolsv.exe[1064] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\spoolsv.exe[1064] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1064] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\spoolsv.exe[1064] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[1064] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\spoolsv.exe[1064] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\spoolsv.exe[1064] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\spoolsv.exe[1064] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\spoolsv.exe[1064] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\spoolsv.exe[1064] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\spoolsv.exe[1064] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\spoolsv.exe[1064] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\spoolsv.exe[1064] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\spoolsv.exe[1064] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\spoolsv.exe[1064] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\spoolsv.exe[1064] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\spoolsv.exe[1064] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1144] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[1144] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[1144] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[1144] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[1144] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1204] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1204] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1204] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1244] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1304] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\Program Files\Netscape Internet Service\ncupdatesvc.exe[1320] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1364] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[1368] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[1368] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[1368] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[1368] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[1368] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\wuauclt.exe[1524] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\wuauclt.exe[1524] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[1524] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\wuauclt.exe[1524] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\wuauclt.exe[1524] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\wuauclt.exe[1524] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\wuauclt.exe[1524] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\wuauclt.exe[1524] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\wuauclt.exe[1524] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\wuauclt.exe[1524] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
.text C:\WINDOWS\System32\alg.exe[1808] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\alg.exe[1808] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[1808] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\alg.exe[1808] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[1808] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\alg.exe[1808] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\alg.exe[1808] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\alg.exe[1808] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\alg.exe[1808] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\alg.exe[1808] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\System32\alg.exe[1808] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\System32\alg.exe[1808] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\System32\alg.exe[1808] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\System32\alg.exe[1808] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\System32\alg.exe[1808] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\System32\alg.exe[1808] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\System32\alg.exe[1808] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\wscntfy.exe[1920] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\wscntfy.exe[1920] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[1920] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\wscntfy.exe[1920] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\wscntfy.exe[1920] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\wscntfy.exe[1920] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\wscntfy.exe[1920] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\wscntfy.exe[1920] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\wscntfy.exe[1920] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\wscntfy.exe[1920] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
.text C:\WINDOWS\system32\wscntfy.exe[1920] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
.text C:\WINDOWS\system32\wscntfy.exe[1920] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
.text C:\WINDOWS\system32\wscntfy.exe[1920] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
.text C:\WINDOWS\system32\wscntfy.exe[1920] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
.text C:\WINDOWS\system32\wscntfy.exe[1920] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
.text C:\WINDOWS\system32\wscntfy.exe[1920] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
.text C:\WINDOWS\system32\wscntfy.exe[1920] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
.text C:\WINDOWS\RTHDCPL.EXE[1948] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\WINDOWS\RTHDCPL.EXE[1948] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\RTHDCPL.EXE[1948] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\WINDOWS\RTHDCPL.EXE[1948] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\RTHDCPL.EXE[1948] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
.text C:\WINDOWS\RTHDCPL.EXE[1948] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
.text C:\WINDOWS\RTHDCPL.EXE[1948] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
.text C:\WINDOWS\RTHDCPL.EXE[1948] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
.text C:\WINDOWS\RTHDCPL.EXE[1948] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
.text C:\WINDOWS\RTHDCPL.EXE[1948] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\WINDOWS\RTHDCPL.EXE[1948] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\WINDOWS\RTHDCPL.EXE[1948] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\WINDOWS\RTHDCPL.EXE[1948] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\WINDOWS\RTHDCPL.EXE[1948] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\WINDOWS\RTHDCPL.EXE[1948] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\WINDOWS\RTHDCPL.EXE[1948] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\WINDOWS\RTHDCPL.EXE[1948] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\windows\system\hpsysdrv.exe[1964] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\windows\system\hpsysdrv.exe[1964] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\windows\system\hpsysdrv.exe[1964] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\windows\system\hpsysdrv.exe[1964] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\windows\system\hpsysdrv.exe[1964] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
.text C:\windows\system\hpsysdrv.exe[1964] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
.text C:\windows\system\hpsysdrv.exe[1964] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
.text C:\windows\system\hpsysdrv.exe[1964] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
.text C:\windows\system\hpsysdrv.exe[1964] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1988] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[2016] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[2016] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A1014
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A0804
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0A08
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A0C0C
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0E10
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A01F8
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A03FC
.text C:\Program Files\Browny02\BrYNSvc.exe[2156] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A0600
.text K:\ytwtntjt.exe[2620] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text K:\ytwtntjt.exe[2620] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text K:\ytwtntjt.exe[2620] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text K:\ytwtntjt.exe[2620] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text K:\ytwtntjt.exe[2620] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003E1014
.text K:\ytwtntjt.exe[2620] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003E0804
.text K:\ytwtntjt.exe[2620] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003E0A08
.text K:\ytwtntjt.exe[2620] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003E0C0C
.text K:\ytwtntjt.exe[2620] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003E0E10
.text K:\ytwtntjt.exe[2620] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003E01F8
.text K:\ytwtntjt.exe[2620] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003E03FC
.text K:\ytwtntjt.exe[2620] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003E0600
.text K:\ytwtntjt.exe[2620] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003F0804
.text K:\ytwtntjt.exe[2620] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003F0A08
.text K:\ytwtntjt.exe[2620] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003F0600
.text K:\ytwtntjt.exe[2620] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003F01F8
.text K:\ytwtntjt.exe[2620] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003F03FC

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[492] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005E0002
IAT C:\WINDOWS\system32\services.exe[492] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005E0000
IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1204] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
IAT C:\Program Files\AVAST Software\Avast\avastUI.exe[2016] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

---- EOF - GMER 1.0.15 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users