Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rootkit(s) & applications keep returning crash errors


  • This topic is locked This topic is locked
34 replies to this topic

#1 R_P_M

R_P_M

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 02 July 2012 - 04:45 AM

Hi all,

I seem to have got myself a rootkit (or, should I fear, multiple), and feel that I'm close to the end of my peripheral tether with its antics. Applications that ran the previous log-in session mysteriously decide to "encounter an unexpected error and need to close", which can become infuriating if you need to use the program in consecutive sessions (e.g. web browsers).

I have recieved blue screens at random occasion, giving me "Page Fault In Non Paged Area" and an issue with the win32k.sys file (if that helps narrow it down, or to describe it's activity).

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by Ryan at 13:41:43 on 2012-07-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2791.2050 [GMT 8:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Boot Camp\Bootcamp.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Apple_KbdMgr] c:\program files\boot camp\Bootcamp.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} - hxxps://pbank.95559.com.cn/personbank/ocx/safe_bankcomm.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{0C438904-A411-4C49-BEA8-05D1CB4A47B7} : DhcpNameServer = 10.0.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ryan\application data\mozilla\firefox\profiles\0y8yz0sn.default\
FF - prefs.js: browser.startup.homepage - hxxp://qzone.qq.com/
FF - plugin: c:\documents and settings\ryan\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AppleHFS;AppleHFS;c:\windows\system32\drivers\AppleHFS.sys [2010-11-11 49280]
R0 AppleMNT;AppleMNT;c:\windows\system32\drivers\AppleMNT.sys [2010-11-11 6784]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-6-9 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-6-9 353688]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-23 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2010-11-11 193848]
R2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2010-1-16 99640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-6-9 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-6-9 44808]
R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2010-11-11 6528]
R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2010-11-11 12928]
R3 applemtm;Apple Multitouch Mouse;c:\windows\system32\drivers\applemtm.sys [2012-6-8 10880]
R3 applemtp;Apple Multitouch;c:\windows\system32\drivers\applemtp.sys [2012-6-8 29824]
R3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\drivers\IRFilter.sys [2012-6-8 16512]
R3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\drivers\KeyMagic.sys [2012-6-8 23552]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-6-5 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-8 250056]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-8 113120]
.
=============== Created Last 30 ================
.
2012-07-02 04:05:06 -------- d-----w- c:\documents and settings\ryan\application data\ExpressVPN
2012-07-02 03:52:54 -------- d-----w- c:\program files\ExpressVPN
2012-06-30 03:35:08 -------- d-----w- c:\program files\Pidgin
2012-06-29 23:11:40 -------- d-----w- c:\windows\pss
2012-06-29 23:07:08 -------- d-----w- c:\program files\Unlocker
2012-06-29 22:55:39 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-25 03:13:34 -------- d-----w- c:\program files\common files\Enterbrain
2012-06-18 23:13:22 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Turbine
2012-06-18 23:13:10 -------- d-----w- c:\documents and settings\ryan\local settings\application data\ApplicationHistory
2012-06-18 23:10:34 -------- d-----w- c:\windows\system32\URTTEMP
2012-06-18 23:09:49 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2012-06-18 22:13:22 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-18 22:13:22 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-18 22:13:22 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-18 10:48:58 -------- d-----w- C:\03f852b638aac890901d6926
2012-06-18 04:16:54 -------- d-----w- c:\windows\system32\xlive
2012-06-18 04:16:41 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2012-06-18 03:59:39 -------- d-----w- C:\dbfbeeb1fb678f81c6659321
2012-06-18 03:30:58 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2012-06-18 03:30:57 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2012-06-18 03:30:50 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2012-06-17 09:51:01 -------- d-----w- c:\program files\Oracle
2012-06-16 05:28:34 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-06-16 05:28:34 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-06-16 05:20:58 98816 ----a-w- c:\windows\sed.exe
2012-06-16 05:20:58 518144 ----a-w- c:\windows\SWREG.exe
2012-06-16 05:20:58 256000 ----a-w- c:\windows\PEV.exe
2012-06-16 05:20:58 208896 ----a-w- c:\windows\MBR.exe
2012-06-14 22:58:47 -------- d-sh--w- c:\documents and settings\ryan\IECompatCache
2012-06-14 22:28:41 -------- d-sh--w- c:\documents and settings\ryan\PrivacIE
2012-06-14 00:25:49 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Geckofx
2012-06-14 00:25:38 -------- d-----w- c:\documents and settings\ryan\application data\Firefly Studios
2012-06-14 00:08:28 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2012-06-14 00:08:28 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2012-06-14 00:08:28 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2012-06-14 00:08:19 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2012-06-14 00:08:18 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2012-06-14 00:08:18 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2012-06-14 00:08:16 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2012-06-14 00:08:14 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2012-06-14 00:08:08 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2012-06-14 00:07:53 -------- d-----w- c:\windows\Logs
2012-06-13 06:53:35 -------- d-----w- c:\program files\common files\Steam
2012-06-13 06:53:29 -------- d-----w- c:\program files\Steam
2012-06-12 22:32:33 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-12 07:40:57 -------- d-----w- c:\program files\Windows Media Connect 2
2012-06-12 07:38:48 -------- d-----w- c:\windows\system32\LogFiles
2012-06-11 23:49:58 -------- d-----w- c:\documents and settings\ryan\application data\Blender Foundation
2012-06-11 23:49:16 -------- d-----w- c:\documents and settings\ryan\.thumbnails
2012-06-11 02:20:41 -------- d-----w- c:\windows\ie8updates
2012-06-11 00:27:21 -------- d-----w- c:\documents and settings\ryan\application data\SUPERAntiSpyware.com
2012-06-11 00:25:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-11 00:25:48 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-06-10 23:21:43 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-06-10 23:21:42 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-06-10 23:21:42 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-06-10 23:21:42 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-06-10 23:21:40 629760 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-06-10 23:21:39 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-06-10 03:56:55 -------- d-sh--w- c:\documents and settings\ryan\IETldCache
2012-06-10 01:16:59 -------- dc-h--w- c:\windows\ie8
2012-06-10 00:55:19 221184 ----a-w- c:\windows\system32\wmpns.dll
2012-06-09 22:37:02 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-06-09 22:36:15 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-06-09 22:34:55 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-06-09 22:27:12 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-06-09 22:26:11 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Amazon
2012-06-09 22:26:00 -------- d-----w- c:\program files\Amazon
2012-06-09 22:19:24 758784 -c--a-w- c:\windows\system32\dllcache\vgx.dll
2012-06-09 22:19:00 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-06-09 22:18:58 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-06-09 22:18:57 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-06-09 22:18:57 3072 ------w- c:\windows\system32\iacenc.dll
2012-06-09 22:17:05 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-06-09 07:09:38 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Sun
2012-06-09 05:14:42 -------- d-----w- c:\documents and settings\ryan\application data\Unity
2012-06-09 05:13:54 -------- d-----w- c:\documents and settings\ryan\local settings\application data\PACE Anti-Piracy
2012-06-09 05:13:54 -------- d-----w- c:\documents and settings\ryan\application data\PACE Anti-Piracy
2012-06-09 05:13:54 -------- d-----w- c:\documents and settings\all users\application data\PACE Anti-Piracy
2012-06-09 05:13:53 -------- d-----w- c:\program files\common files\PACE Anti-Piracy
2012-06-09 04:47:54 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-09 04:47:54 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-09 04:47:54 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-09 03:43:36 -------- d-----w- c:\documents and settings\ryan\local settings\application data\PCHealth
2012-06-09 03:41:11 -------- d-----w- c:\documents and settings\ryan\application data\OpenOffice.org
2012-06-09 02:39:09 -------- d-----w- c:\windows\system32\scripting
2012-06-09 02:39:08 -------- d-----w- c:\windows\l2schemas
2012-06-09 02:39:06 -------- d-----w- c:\windows\system32\en
2012-06-09 02:39:06 -------- d-----w- c:\windows\system32\bits
2012-06-09 02:28:15 -------- d-----w- c:\windows\network diagnostic
2012-06-09 02:03:54 95424 ------w- c:\windows\system32\drivers\slnthal.sys
2012-06-09 02:02:44 61440 ------w- c:\windows\system32\kmsvc.dll
2012-06-08 22:42:45 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Unity
2012-06-08 22:35:54 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Adobe
2012-06-08 22:35:51 -------- d-----w- c:\program files\Unity
2012-06-08 22:33:50 -------- d-----w- c:\program files\Blender Foundation
2012-06-08 22:31:59 -------- d-----r- c:\program files\Skype
2012-06-08 22:28:04 -------- d-----w- c:\documents and settings\ryan\application data\Malwarebytes
2012-06-08 22:27:57 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-06-08 22:27:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-08 22:27:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-08 22:25:26 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-06-08 22:24:33 41224 ----a-w- c:\windows\avastSS.scr
2012-06-08 22:24:06 -------- d-----w- c:\program files\AVAST Software
2012-06-08 22:24:06 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-06-08 22:15:56 -------- d-----w- c:\windows\EHome
2012-06-08 22:11:44 -------- d-----w- c:\program files\OpenOffice.org 3
2012-06-08 09:43:51 -------- d-----w- c:\program files\VideoLAN
2012-06-08 09:17:15 -------- d-----w- c:\windows\system32\XPSViewer
2012-06-08 09:16:47 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-06-08 09:16:35 117760 ------w- c:\windows\system32\prntvpt.dll
2012-06-08 09:16:34 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2012-06-08 09:16:34 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2012-06-08 09:16:34 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2012-06-08 09:16:34 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2012-06-08 09:16:34 575488 ------w- c:\windows\system32\xpsshhdr.dll
2012-06-08 09:16:34 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2012-06-08 09:16:34 1676288 ------w- c:\windows\system32\xpssvcs.dll
2012-06-08 09:16:34 -------- d-----w- C:\251a188fb20c1c481f70e956b250
2012-06-08 09:15:01 -------- d-----w- c:\program files\MSXML 6.0
2012-06-08 09:07:00 -------- d-----w- c:\documents and settings\ryan\application data\.purple
2012-06-08 09:04:56 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-08 09:04:56 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-08 09:03:52 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Mozilla
2012-06-08 08:49:13 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2012-06-08 08:49:12 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2012-06-08 08:49:12 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
2012-06-08 08:49:12 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2012-06-08 08:49:12 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2012-06-08 08:49:12 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2012-06-08 08:49:12 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2012-06-08 08:49:12 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2012-06-08 08:49:12 110592 -c----w- c:\windows\system32\dllcache\services.exe
2012-06-08 08:49:11 2192640 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2012-06-08 08:49:11 2148352 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2012-06-08 08:49:10 2026496 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2012-06-08 08:21:01 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-06-08 08:20:45 357888 -c----w- c:\windows\system32\dllcache\srv.sys
2012-06-08 08:19:57 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-06-08 08:19:56 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-06-08 08:19:13 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-06-08 08:18:49 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-06-08 08:11:03 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-06-08 07:34:57 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-06-08 07:16:16 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2012-06-08 07:05:21 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2012-06-08 07:05:20 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
.
==================== Find3M ====================
.
2012-06-15 22:34:01 90112 ----a-w- c:\windows\DUMPd9b6.tmp
2012-06-02 07:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 07:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 07:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 07:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 07:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 13:43:20.68 ===============

GMER Log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-02 15:06:34
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200BEVT-00A0RT0 rev.01.01A01
Running: 5gwls59r.exe; Driver: C:\DOCUME~1\Ryan\LOCALS~1\Temp\fwkorkoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xAE50A488]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xAE5B37BA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xAE50AEA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xAE54AB81]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xAE515CCC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xAE515D18]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xAE515E9A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xAE54A535]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xAE515C3A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xAE515D5C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xAE515C82]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xAE50B098]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xAE515E54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xAE50B81C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xAE50A4D6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xAE54B247]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xAE54B4FD]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xAE50EE88]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAE54B0B2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAE54AF1D]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xAE5B389E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xAE50A13E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xAE50A524]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xAE50F1FA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xAE50C1E4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xAE515CF6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xAE515D3A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xAE515EBE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xAE54A891]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xAE515C60]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xAE50E9FE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xAE515DDE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xAE515CAA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xAE50EC30]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xAE515E78]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xAE5B3A1E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xAE54AD98]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xAE50C0B0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xAE54ABEA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xAE50BC5A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAE5BF338]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xAE549BA8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xAE50A572]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xAE50A5C0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xAE50B69C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xAE50A1C8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xAE50A378]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xAE54B34E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xAE50A31E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xAE50B97E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xAE50BADA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xAE50A3E8]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAE6A0640]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xAE50B51C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xAE50A60E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xAE50AEE8]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAE5CB744]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2D28 805045E0 2 Bytes [9E, 38]
.text ntkrnlpa.exe!ZwCallbackReturn + 2DC4 8050467C 4 Bytes [FE, E9, 50, AE]
.text ntkrnlpa.exe!ZwCallbackReturn + 2E00 805046B8 2 Bytes [1E, 3A]
.text ntkrnlpa.exe!ZwCallbackReturn + 2EA0 80504758 4 Bytes [EA, AB, 54, AE]
.text ntkrnlpa.exe!ZwCallbackReturn + 2F28 805047E0 12 Bytes [72, A5, 50, AE, C0, A5, 50, ...] {JB 0xffffffffffffffa7; PUSH EAX; SCASB ; SHL BYTE [EBP-0x496351b0], 0x50; SCASB }
.text ...
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64B0 4 Bytes CALL AE50C895 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC55E 5 Bytes JMP AE5C861C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2FE2 5 Bytes JMP AE5CA0FE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D119A 7 Bytes JMP AE5CB748 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB734D360, 0x3E6B45, 0xE8000020]
.text win32k.sys!EngFreeUserMem + 674 BF8098F2 5 Bytes JMP AE510812 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFreeUserMem + 35D0 BF80C84E 5 Bytes JMP AE510702 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSurface + 45 BF8138E6 5 Bytes JMP AE5106BC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 11D3 BF81C550 5 Bytes JMP AE50FD6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngSetLastError + 79A8 BF8240C0 5 Bytes JMP AE50F48A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + F9C BF828A2A 5 Bytes JMP AE51097C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 2C50 BF831475 5 Bytes JMP AE510B84 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + B687 BF839EAC 5 Bytes JMP AE5105C2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + C2CF BF85174B 5 Bytes JMP AE50F34E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + F17 BF85BC8A 5 Bytes JMP AE50FE30 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 3581 BF85E2F4 5 Bytes JMP AE50F8E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 360C BF85E37F 5 Bytes JMP AE50FBAA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreatePalette + 88 BF85F5F2 5 Bytes JMP AE50F336 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreatePalette + 5457 BF8649C1 5 Bytes JMP AE51074C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 35FB BF8731C7 5 Bytes JMP AE50F9A4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 4138 BF873D04 5 Bytes JMP AE50FB64 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetLastError + 1606 BF890F6A 5 Bytes JMP AE50FE48 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 26EE BF894515 5 Bytes JMP AE5108C4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 583 BF894FED 5 Bytes JMP AE510AE2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 3857 BF89C393 5 Bytes JMP AE50FD56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 4DEC BF89D928 5 Bytes JMP AE50F4FA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngEraseSurface + A9DC BF8C1E70 5 Bytes JMP AE50F60A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1517 BF8CA2D2 5 Bytes JMP AE50F6E2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1797 BF8CA552 5 Bytes JMP AE50F80E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + 3B3E BF8EBF17 5 Bytes JMP AE50F230 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + CB53 BF8F4F2C 5 Bytes JMP AE50FD86 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 1A5A BF913814 5 Bytes JMP AE50F426 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 262E BF9143E8 5 Bytes JMP AE50F5B6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4FA7 BF916D61 5 Bytes JMP AE50FCC4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 1937 BF946E38 5 Bytes JMP AE510A3A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\spoolsv.exe[160] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[160] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[256] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[256] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[476] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[476] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[476] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[484] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[484] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\AppleOSSMgr.exe[520] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\AppleOSSMgr.exe[520] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\AppleTimeSrv.exe[536] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\AppleTimeSrv.exe[536] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[584] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[584] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\smss.exe[928] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\svchost.exe[944] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] user32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 006C0804
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] user32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 006C0A08
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] user32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 006C0600
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] user32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 006C01F8
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1008] user32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 006C03FC
.text C:\WINDOWS\system32\csrss.exe[1028] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[1028] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[1116] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[1116] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[1160] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[1160] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[1172] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[1172] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\nvsvc32.exe[1336] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\nvsvc32.exe[1336] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1360] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1412] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1452] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000801F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000803FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1556] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1652] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1652] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000501F8
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000503FC
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002A0804
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002A0A08
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002A0600
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002A01F8
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002A03FC
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1828] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\ctfmon.exe[1856] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\ctfmon.exe[1856] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1856] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\ctfmon.exe[1856] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1856] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\system32\ctfmon.exe[1856] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\ctfmon.exe[1856] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\ctfmon.exe[1856] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\system32\ctfmon.exe[1856] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\system32\ctfmon.exe[1856] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\ctfmon.exe[1856] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\ctfmon.exe[1856] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\ctfmon.exe[1856] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\ctfmon.exe[1856] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\ctfmon.exe[1856] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\ctfmon.exe[1856] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\ctfmon.exe[1856] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1924] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1924] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1924] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\rundll32.exe[1936] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\rundll32.exe[1936] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\rundll32.exe[1936] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\rundll32.exe[1936] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\rundll32.exe[1936] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\rundll32.exe[1936] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\rundll32.exe[1936] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\rundll32.exe[1936] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\rundll32.exe[1936] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\rundll32.exe[1936] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\system32\rundll32.exe[1936] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\rundll32.exe[1936] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\rundll32.exe[1936] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\system32\rundll32.exe[1936] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\system32\rundll32.exe[1936] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\rundll32.exe[1936] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\rundll32.exe[1936] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 011EFA35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 014907C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] kernel32.dll!MapViewOfFile 7C80B9A5 5 Bytes JMP 0149079E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] GDI32.dll!CreateDIBSection 77F19E19 5 Bytes JMP 01490728 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 03611014
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 03610804
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 03610A08
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 03610C0C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 03610E10
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 036101F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 036103FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[2216] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 03610600
.text C:\Program Files\Pidgin\pidgin.exe[2280] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 002401F8
.text C:\Program Files\Pidgin\pidgin.exe[2280] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Pidgin\pidgin.exe[2280] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 002403FC
.text C:\Program Files\Pidgin\pidgin.exe[2280] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Pidgin\pidgin.exe[2280] ADVAPI32.DLL!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00491014
.text C:\Program Files\Pidgin\pidgin.exe[2280] ADVAPI32.DLL!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00490804
.text C:\Program Files\Pidgin\pidgin.exe[2280] ADVAPI32.DLL!ChangeServiceConfigW 77E37001 5 Bytes JMP 00490A08
.text C:\Program Files\Pidgin\pidgin.exe[2280] ADVAPI32.DLL!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00490C0C
.text C:\Program Files\Pidgin\pidgin.exe[2280] ADVAPI32.DLL!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00490E10
.text C:\Program Files\Pidgin\pidgin.exe[2280] ADVAPI32.DLL!CreateServiceA 77E37211 5 Bytes JMP 004901F8
.text C:\Program Files\Pidgin\pidgin.exe[2280] ADVAPI32.DLL!CreateServiceW 77E373A9 5 Bytes JMP 004903FC
.text C:\Program Files\Pidgin\pidgin.exe[2280] ADVAPI32.DLL!DeleteService 77E374B1 5 Bytes JMP 00490600
.text C:\Program Files\Pidgin\pidgin.exe[2280] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 004A0804
.text C:\Program Files\Pidgin\pidgin.exe[2280] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 004A0A08
.text C:\Program Files\Pidgin\pidgin.exe[2280] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 004A0600
.text C:\Program Files\Pidgin\pidgin.exe[2280] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 004A01F8
.text C:\Program Files\Pidgin\pidgin.exe[2280] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 004A03FC
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
.text C:\Program Files\Boot Camp\Bootcamp.exe[2312] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[2320] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[2320] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000801F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000803FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2604] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\RUNDLL32.EXE[2760] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\wuauclt.exe[3104] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\wuauclt.exe[3104] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[3104] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\wuauclt.exe[3104] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[3104] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\system32\wuauclt.exe[3104] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\wuauclt.exe[3104] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\wuauclt.exe[3104] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\system32\wuauclt.exe[3104] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\system32\wuauclt.exe[3104] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\wuauclt.exe[3104] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\wuauclt.exe[3104] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\wuauclt.exe[3104] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\wuauclt.exe[3104] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\wuauclt.exe[3104] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\wuauclt.exe[3104] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\wuauclt.exe[3104] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003F1014
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003F0804
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003F0A08
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003F0C0C
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003F0E10
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003F01F8
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003F03FC
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003F0600
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00AA0804
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00AA0A08
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00AA0600
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00AA01F8
.text C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe[3204] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 00AA03FC
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[3220] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC
.text C:\WINDOWS\System32\alg.exe[3836] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\alg.exe[3836] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[3836] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\alg.exe[3836] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[3836] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\alg.exe[3836] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\alg.exe[3836] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\alg.exe[3836] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\alg.exe[3836] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\alg.exe[3836] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\System32\alg.exe[3836] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\System32\alg.exe[3836] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\System32\alg.exe[3836] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\System32\alg.exe[3836] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\System32\alg.exe[3836] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\System32\alg.exe[3836] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\System32\alg.exe[3836] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\BTHUSB \Device\00000094 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\BTHUSB \Device\00000096 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\StillImage\Logging\STIMOY@ Still Image Monitoring Process
Reg HKLM\SYSTEM\CurrentControlSet\Control\StillImage\Logging\STIMOY@Level 4
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\60fb428c0adc
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\60fb428c0adc (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\60fb428c0adc (not active ControlSet)

---- Files - GMER 1.0.15 ----

File C:\avast! sandbox 0 bytes
File C:\avast! sandbox\snx_rhive 262144 bytes
File C:\avast! sandbox\snx_rhive.LOG 1024 bytes
File C:\Documents and Settings\Ryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\0y8yz0sn.default\Cache\C\DF\60221d02 30503 bytes

---- EOF - GMER 1.0.15 ----


Thanks in advance for any and all help,

Ryan

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 07 July 2012 - 04:45 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/459032 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 R_P_M

R_P_M
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 07 July 2012 - 06:11 PM

Hi HelpBot,

Yes I do still require help. I am certain that my computer has been infected with a rootkit of some description, as I continuously endure the following:

- Windows loading screen displayed for up to 60 seconds
- CHKDSK "inconveniently" running just about every day (which I never informed it to do)
- BSOD about PAGE_FAULT_IN_NONPAGED_AREA (have also recieved some about Win32k.sys, atapi.sys, and this morning I got a BSOD but no proper reason when I tried booting into Windows)
- Applications "encounter an error and need to close" - yet they worked fine the last session I logged in

I had done the DDS/GMER log as first requested, however I acknowledge that the system may be changed by the rootkit, so I shall endeavour to post fresh logs should my system permit me.

Yes I do have the original Windows XP CD with me.

Edited by R_P_M, 07 July 2012 - 07:50 PM.


#4 R_P_M

R_P_M
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 07 July 2012 - 07:49 PM

Fresh DDS Log:


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by Ryan at 7:14:28 on 2012-07-08
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Boot Camp\Bootcamp.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Ryan\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Apple_KbdMgr] c:\program files\boot camp\Bootcamp.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {A3CD7F74-93C9-4BC4-B892-CCDF1514F714} - hxxps://pbank.95559.com.cn/personbank/ocx/safe_bankcomm.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{0C438904-A411-4C49-BEA8-05D1CB4A47B7} : NameServer = 8.8.8.8,208.67.222.220
TCP: Interfaces\{0C438904-A411-4C49-BEA8-05D1CB4A47B7} : DhcpNameServer = 10.0.0.1
TCP: Interfaces\{8DCDC304-13FB-45C3-A9B9-325F074232AA} : NameServer = 8.8.8.8 208.67.222.220
TCP: Interfaces\{FCF32B85-60E0-4158-B648-FC047659B50C} : NameServer = 8.8.8.8 8.8.4.4
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ryan\application data\mozilla\firefox\profiles\0y8yz0sn.default\
FF - prefs.js: browser.startup.homepage - hxxp://qzone.qq.com/
FF - plugin: c:\documents and settings\ryan\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R? AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service
R? aswSnx;aswSnx
R? MozillaMaintenance;Mozilla Maintenance Service
R? SkypeUpdate;Skype Updater
S? !SASCORE;SAS Core Service
S? AppleHFS;AppleHFS
S? AppleMNT;AppleMNT
S? applemtm;Apple Multitouch Mouse
S? applemtp;Apple Multitouch
S? AppleOSSMgr;Apple OS Switch Manager
S? AppleTimeSrv;Apple Time Service
S? aswFsBlk;aswFsBlk
S? aswSP;aswSP
S? avast! Antivirus;avast! Antivirus
S? IRRemoteFlt;IR Receiver Filter Driver
S? KeyAgent;KeyAgent
S? KeyMagic;USB Keyboard HID Filter
S? MacHALDriver;Mac HAL
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
.
=============== Created Last 30 ================
.
2012-07-04 05:25:24 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Identities
2012-07-02 06:03:41 -------- d-----w- c:\documents and settings\ryan\application data\ExpressVPN
2012-07-02 06:03:09 -------- d-----w- c:\program files\ExpressVPN
2012-06-30 03:35:08 -------- d-----w- c:\program files\Pidgin
2012-06-29 23:11:40 -------- d-----w- c:\windows\pss
2012-06-29 23:07:08 -------- d-----w- c:\program files\Unlocker
2012-06-29 22:55:39 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-25 03:13:34 -------- d-----w- c:\program files\common files\Enterbrain
2012-06-18 23:13:22 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Turbine
2012-06-18 23:13:10 -------- d-----w- c:\documents and settings\ryan\local settings\application data\ApplicationHistory
2012-06-18 23:10:34 -------- d-----w- c:\windows\system32\URTTEMP
2012-06-18 23:09:49 3495784 ----a-w- c:\windows\system32\d3dx9_33.dll
2012-06-18 22:13:22 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-18 22:13:22 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-18 22:13:22 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-18 10:48:58 -------- d-----w- C:\03f852b638aac890901d6926
2012-06-18 04:16:54 -------- d-----w- c:\windows\system32\xlive
2012-06-18 04:16:41 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2012-06-18 03:59:39 -------- d-----w- C:\dbfbeeb1fb678f81c6659321
2012-06-18 03:30:58 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2012-06-18 03:30:57 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2012-06-18 03:30:50 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2012-06-17 09:51:01 -------- d-----w- c:\program files\Oracle
2012-06-16 05:28:34 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
2012-06-16 05:28:34 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2012-06-16 05:20:58 98816 ----a-w- c:\windows\sed.exe
2012-06-16 05:20:58 518144 ----a-w- c:\windows\SWREG.exe
2012-06-16 05:20:58 256000 ----a-w- c:\windows\PEV.exe
2012-06-16 05:20:58 208896 ----a-w- c:\windows\MBR.exe
2012-06-14 22:58:47 -------- d-sh--w- c:\documents and settings\ryan\IECompatCache
2012-06-14 22:28:41 -------- d-sh--w- c:\documents and settings\ryan\PrivacIE
2012-06-14 00:25:49 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Geckofx
2012-06-14 00:25:38 -------- d-----w- c:\documents and settings\ryan\application data\Firefly Studios
2012-06-14 00:08:28 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2012-06-14 00:08:28 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2012-06-14 00:08:28 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2012-06-14 00:08:19 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2012-06-14 00:08:18 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2012-06-14 00:08:18 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2012-06-14 00:08:16 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2012-06-14 00:08:14 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2012-06-14 00:08:08 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2012-06-14 00:07:53 -------- d-----w- c:\windows\Logs
2012-06-13 06:53:35 -------- d-----w- c:\program files\common files\Steam
2012-06-13 06:53:29 -------- d-----w- c:\program files\Steam
2012-06-12 22:32:33 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-12 07:40:57 -------- d-----w- c:\program files\Windows Media Connect 2
2012-06-12 07:38:48 -------- d-----w- c:\windows\system32\LogFiles
2012-06-11 23:49:58 -------- d-----w- c:\documents and settings\ryan\application data\Blender Foundation
2012-06-11 23:49:16 -------- d-----w- c:\documents and settings\ryan\.thumbnails
2012-06-11 02:20:41 -------- d-----w- c:\windows\ie8updates
2012-06-11 00:27:21 -------- d-----w- c:\documents and settings\ryan\application data\SUPERAntiSpyware.com
2012-06-11 00:25:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-06-11 00:25:48 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-06-10 23:21:43 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-06-10 23:21:42 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-06-10 23:21:42 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-06-10 23:21:42 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-06-10 23:21:40 629760 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-06-10 23:21:39 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-06-10 03:56:55 -------- d-sh--w- c:\documents and settings\ryan\IETldCache
2012-06-10 01:16:59 -------- dc-h--w- c:\windows\ie8
2012-06-10 00:55:19 221184 ----a-w- c:\windows\system32\wmpns.dll
2012-06-09 22:37:02 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2012-06-09 22:36:15 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2012-06-09 22:34:55 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2012-06-09 22:27:12 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2012-06-09 22:26:11 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Amazon
2012-06-09 22:26:00 -------- d-----w- c:\program files\Amazon
2012-06-09 22:19:24 758784 -c--a-w- c:\windows\system32\dllcache\vgx.dll
2012-06-09 22:19:00 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-06-09 22:18:58 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2012-06-09 22:18:57 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-06-09 22:18:57 3072 ------w- c:\windows\system32\iacenc.dll
2012-06-09 22:17:05 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2012-06-09 07:09:38 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Sun
2012-06-09 05:14:42 -------- d-----w- c:\documents and settings\ryan\application data\Unity
2012-06-09 05:13:54 -------- d-----w- c:\documents and settings\ryan\local settings\application data\PACE Anti-Piracy
2012-06-09 05:13:54 -------- d-----w- c:\documents and settings\ryan\application data\PACE Anti-Piracy
2012-06-09 05:13:54 -------- d-----w- c:\documents and settings\all users\application data\PACE Anti-Piracy
2012-06-09 05:13:53 -------- d-----w- c:\program files\common files\PACE Anti-Piracy
2012-06-09 04:47:54 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-06-09 04:47:54 687504 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-09 04:47:54 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-09 03:43:36 -------- d-----w- c:\documents and settings\ryan\local settings\application data\PCHealth
2012-06-09 03:41:11 -------- d-----w- c:\documents and settings\ryan\application data\OpenOffice.org
2012-06-09 02:39:09 -------- d-----w- c:\windows\system32\scripting
2012-06-09 02:39:08 -------- d-----w- c:\windows\l2schemas
2012-06-09 02:39:06 -------- d-----w- c:\windows\system32\en
2012-06-09 02:39:06 -------- d-----w- c:\windows\system32\bits
2012-06-09 02:28:15 -------- d-----w- c:\windows\network diagnostic
2012-06-09 02:03:54 95424 ------w- c:\windows\system32\drivers\slnthal.sys
2012-06-09 02:02:44 61440 ------w- c:\windows\system32\kmsvc.dll
2012-06-08 22:42:45 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Unity
2012-06-08 22:35:54 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Adobe
2012-06-08 22:35:51 -------- d-----w- c:\program files\Unity
2012-06-08 22:33:50 -------- d-----w- c:\program files\Blender Foundation
2012-06-08 22:31:59 -------- d-----r- c:\program files\Skype
2012-06-08 22:28:04 -------- d-----w- c:\documents and settings\ryan\application data\Malwarebytes
2012-06-08 22:27:57 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-06-08 22:27:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-08 22:27:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-06-08 22:25:26 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-06-08 22:24:33 41224 ----a-w- c:\windows\avastSS.scr
2012-06-08 22:24:06 -------- d-----w- c:\program files\AVAST Software
2012-06-08 22:24:06 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-06-08 22:15:56 -------- d-----w- c:\windows\EHome
2012-06-08 22:11:44 -------- d-----w- c:\program files\OpenOffice.org 3
2012-06-08 09:43:51 -------- d-----w- c:\program files\VideoLAN
2012-06-08 09:17:15 -------- d-----w- c:\windows\system32\XPSViewer
2012-06-08 09:16:47 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-06-08 09:16:35 117760 ------w- c:\windows\system32\prntvpt.dll
2012-06-08 09:16:34 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2012-06-08 09:16:34 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2012-06-08 09:16:34 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2012-06-08 09:16:34 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2012-06-08 09:16:34 575488 ------w- c:\windows\system32\xpsshhdr.dll
2012-06-08 09:16:34 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2012-06-08 09:16:34 1676288 ------w- c:\windows\system32\xpssvcs.dll
2012-06-08 09:16:34 -------- d-----w- C:\251a188fb20c1c481f70e956b250
2012-06-08 09:15:01 -------- d-----w- c:\program files\MSXML 6.0
2012-06-08 09:07:00 -------- d-----w- c:\documents and settings\ryan\application data\.purple
2012-06-08 09:04:56 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-08 09:04:56 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-08 09:03:52 -------- d-----w- c:\documents and settings\ryan\local settings\application data\Mozilla
2012-06-08 08:49:13 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2012-06-08 08:49:12 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2012-06-08 08:49:12 718336 -c----w- c:\windows\system32\dllcache\ntdll.dll
2012-06-08 08:49:12 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2012-06-08 08:49:12 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2012-06-08 08:49:12 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2012-06-08 08:49:12 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2012-06-08 08:49:12 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2012-06-08 08:49:12 110592 -c----w- c:\windows\system32\dllcache\services.exe
2012-06-08 08:49:11 2192640 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2012-06-08 08:49:11 2148352 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2012-06-08 08:49:10 2026496 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2012-06-08 08:21:01 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2012-06-08 08:20:45 357888 -c----w- c:\windows\system32\dllcache\srv.sys
2012-06-08 08:19:57 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2012-06-08 08:19:56 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2012-06-08 08:19:13 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2012-06-08 08:18:49 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2012-06-08 08:11:03 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2012-06-08 07:34:57 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2012-06-08 07:16:16 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2012-06-08 07:05:21 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2012-06-08 07:05:20 218112 -c----w- c:\windows\system32\dllcache\wordpad.exe
.
==================== Find3M ====================
.
2012-06-15 22:34:01 90112 ----a-w- c:\windows\DUMPd9b6.tmp
2012-06-02 07:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 07:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 07:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 07:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 07:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16:13 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 7:18:09.56 ===============

Fresh GMER Log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-08 08:45:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200BEVT-00A0RT0 rev.01.01A01
Running: 7kjkz30g.exe; Driver: C:\DOCUME~1\Ryan\LOCALS~1\Temp\fwkorkoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xAEFF2536]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xAF09B7BA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xAEFF2F52]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xAF032C31]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xAEFFDD7A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xAEFFDDC6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xAEFFDF48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xAF0325E5]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xAEFFDCE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xAEFFDE0A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xAEFFDD30]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xAEFF3146]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xAEFFDF02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xAEFF38CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xAEFF2584]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xAF0332F7]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xAF0335AD]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xAEFF6F36]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAF033162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAF032FCD]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xAF09B89E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xAEFF21EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xAEFF25D2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xAEFF72A8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xAEFF4292]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xAEFFDDA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xAEFFDDE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xAEFFDF6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xAF032941]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xAEFFDD0E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xAEFF6AAC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xAEFFDE8C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xAEFFDD58]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xAEFF6CDE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xAEFFDF26]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xAF09BA1E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xAF032E48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xAEFF415E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xAF032C9A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xAEFF3D08]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAF0A7338]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xAF031C58]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xAEFF2620]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xAEFF266E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xAEFF374A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xAEFF2276]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xAEFF2426]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xAF0333FE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xAEFF23CC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xAEFF3A2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xAEFF3B88]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xAEFF2496]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB5245640]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xAEFF35CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xAEFF26BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xAEFF2F96]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAF0B3744]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C88 80504540 4 Bytes [E8, DC, FF, AE]
.text ntkrnlpa.exe!ZwCallbackReturn + 2F28 805047E0 12 Bytes [20, 26, FF, AE, 6E, 26, FF, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FD0 80504888 12 Bytes [2C, 3A, FF, AE, 88, 3B, FF, ...] {SUB AL, 0x3a; JMP FAR DWORD [ESI-0x5100c478]; XCHG ESI, EAX; AND AL, 0xff; SCASB }
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64B0 4 Bytes CALL AEFF4943 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC55E 5 Bytes JMP AF0B061C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2FE2 5 Bytes JMP AF0B20FE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D119A 7 Bytes JMP AF0B3748 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7008360, 0x3E6B45, 0xE8000020]
.text win32k.sys!EngFreeUserMem + 674 BF8098F2 5 Bytes JMP AEFF88C0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFreeUserMem + 35D0 BF80C84E 5 Bytes JMP AEFF87B0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSurface + 45 BF8138E6 5 Bytes JMP AEFF876A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 11D3 BF81C550 5 Bytes JMP AEFF7E1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngSetLastError + 79A8 BF8240C0 5 Bytes JMP AEFF7538 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + F9C BF828A2A 5 Bytes JMP AEFF8A2A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + 2C50 BF831475 5 Bytes JMP AEFF8C32 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + B687 BF839EAC 5 Bytes JMP AEFF8670 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + C2CF BF85174B 5 Bytes JMP AEFF73FC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + F17 BF85BC8A 5 Bytes JMP AEFF7EDE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 3581 BF85E2F4 5 Bytes JMP AEFF7992 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + 360C BF85E37F 5 Bytes JMP AEFF7C58 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreatePalette + 88 BF85F5F2 5 Bytes JMP AEFF73E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreatePalette + 5457 BF8649C1 5 Bytes JMP AEFF87FA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 35FB BF8731C7 5 Bytes JMP AEFF7A52 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 4138 BF873D04 5 Bytes JMP AEFF7C12 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetLastError + 1606 BF890F6A 5 Bytes JMP AEFF7EF6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 26EE BF894515 5 Bytes JMP AEFF8972 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 583 BF894FED 5 Bytes JMP AEFF8B90 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 3857 BF89C393 5 Bytes JMP AEFF7E04 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 4DEC BF89D928 5 Bytes JMP AEFF75A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngEraseSurface + A9DC BF8C1E70 5 Bytes JMP AEFF76B8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1517 BF8CA2D2 5 Bytes JMP AEFF7790 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 1797 BF8CA552 5 Bytes JMP AEFF78BC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + 3B3E BF8EBF17 5 Bytes JMP AEFF72DE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + CB53 BF8F4F2C 5 Bytes JMP AEFF7E34 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 1A5A BF913814 5 Bytes JMP AEFF74D4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 262E BF9143E8 5 Bytes JMP AEFF7664 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4FA7 BF916D61 5 Bytes JMP AEFF7D72 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 1937 BF946E38 5 Bytes JMP AEFF8AE8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\rundll32.exe[132] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\rundll32.exe[132] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\rundll32.exe[132] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\rundll32.exe[132] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\rundll32.exe[132] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\rundll32.exe[132] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\rundll32.exe[132] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\rundll32.exe[132] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\rundll32.exe[132] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\rundll32.exe[132] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\system32\rundll32.exe[132] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\rundll32.exe[132] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\rundll32.exe[132] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\system32\rundll32.exe[132] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\system32\rundll32.exe[132] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\rundll32.exe[132] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\rundll32.exe[132] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\WINDOWS\Explorer.EXE[248] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[248] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[248] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll
.text C:\WINDOWS\system32\AppleTimeSrv.exe[416] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\AppleTimeSrv.exe[416] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
.text C:\Program Files\Boot Camp\Bootcamp.exe[432] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
.text C:\WINDOWS\system32\spoolsv.exe[512] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[512] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[548] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[548] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[608] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[608] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[676] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SASCORE.EXE[676] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A1014
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A0804
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0A08
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A0C0C
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0E10
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A01F8
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A03FC
.text C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe[688] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A0600
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
.text C:\Program Files\Unlocker\UnlockerAssistant.exe[800] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC
.text C:\WINDOWS\system32\AppleOSSMgr.exe[808] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\AppleOSSMgr.exe[808] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\smss.exe[976] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B01F8
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B03FC
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\RUNDLL32.EXE[992] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A1014
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A0804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A0C0C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0E10
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A01F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A03FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A0600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B0804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B0600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B01F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1004] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B03FC
.text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1080] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1080] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[1128] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000501F8
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000503FC
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002A0804
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002A0A08
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002A0600
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002A01F8
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002A03FC
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[1144] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
.text C:\WINDOWS\system32\winlogon.exe[1172] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[1172] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1192] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\ctfmon.exe[1192] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1192] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\ctfmon.exe[1192] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1192] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\system32\ctfmon.exe[1192] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\ctfmon.exe[1192] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\ctfmon.exe[1192] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\system32\ctfmon.exe[1192] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\system32\ctfmon.exe[1192] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\ctfmon.exe[1192] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\ctfmon.exe[1192] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\ctfmon.exe[1192] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\ctfmon.exe[1192] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\ctfmon.exe[1192] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\ctfmon.exe[1192] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\ctfmon.exe[1192] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\services.exe[1220] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[1220] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[1232] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[1232] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\nvsvc32.exe[1388] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\nvsvc32.exe[1388] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1468] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1552] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1552] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1656] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1768] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1768] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1852] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1852] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2044] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2044] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2044] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000801F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000803FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2312] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
.text C:\WINDOWS\System32\alg.exe[2704] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
.text C:\WINDOWS\System32\alg.exe[2704] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[2704] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
.text C:\WINDOWS\System32\alg.exe[2704] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\System32\alg.exe[2704] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804
.text C:\WINDOWS\System32\alg.exe[2704] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08
.text C:\WINDOWS\System32\alg.exe[2704] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600
.text C:\WINDOWS\System32\alg.exe[2704] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B01F8
.text C:\WINDOWS\System32\alg.exe[2704] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B03FC
.text C:\WINDOWS\System32\alg.exe[2704] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\System32\alg.exe[2704] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\System32\alg.exe[2704] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\System32\alg.exe[2704] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\System32\alg.exe[2704] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\System32\alg.exe[2704] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\System32\alg.exe[2704] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\System32\alg.exe[2704] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003F1014
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003F0804
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003F0A08
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003F0C0C
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003F0E10
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003F01F8
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003F03FC
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003F0600
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00AA0804
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00AA0A08
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00AA0600
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00AA01F8
.text C:\Documents and Settings\Ryan\Desktop\7kjkz30g.exe[2740] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 00AA03FC
.text C:\WINDOWS\system32\wuauclt.exe[3256] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\wuauclt.exe[3256] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[3256] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\wuauclt.exe[3256] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[3256] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\system32\wuauclt.exe[3256] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\wuauclt.exe[3256] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\wuauclt.exe[3256] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\system32\wuauclt.exe[3256] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\system32\wuauclt.exe[3256] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\wuauclt.exe[3256] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\wuauclt.exe[3256] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\wuauclt.exe[3256] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\wuauclt.exe[3256] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\wuauclt.exe[3256] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\wuauclt.exe[3256] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\wuauclt.exe[3256] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
.text C:\WINDOWS\system32\wuauclt.exe[3956] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8
.text C:\WINDOWS\system32\wuauclt.exe[3956] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[3956] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC
.text C:\WINDOWS\system32\wuauclt.exe[3956] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
.text C:\WINDOWS\system32\wuauclt.exe[3956] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
.text C:\WINDOWS\system32\wuauclt.exe[3956] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
.text C:\WINDOWS\system32\wuauclt.exe[3956] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
.text C:\WINDOWS\system32\wuauclt.exe[3956] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
.text C:\WINDOWS\system32\wuauclt.exe[3956] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
.text C:\WINDOWS\system32\wuauclt.exe[3956] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
.text C:\WINDOWS\system32\wuauclt.exe[3956] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
.text C:\WINDOWS\system32\wuauclt.exe[3956] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
.text C:\WINDOWS\system32\wuauclt.exe[3956] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
.text C:\WINDOWS\system32\wuauclt.exe[3956] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
.text C:\WINDOWS\system32\wuauclt.exe[3956] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
.text C:\WINDOWS\system32\wuauclt.exe[3956] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
.text C:\WINDOWS\system32\wuauclt.exe[3956] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\BTHUSB \Device\00000094 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000094 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\BTHUSB \Device\00000096 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000096 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Control\StillImage\Logging\STIMOY@ Still Image Monitoring Process
Reg HKLM\SYSTEM\ControlSet001\Control\StillImage\Logging\STIMOY@Level 4
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\60fb428c0adc (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\60fb428c0adc
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\60fb428c0adc (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\60fb428c0adc (not active ControlSet)

---- EOF - GMER 1.0.15 ----

Thank you once again for any and all help,

Ryan

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:59 AM

Posted 08 July 2012 - 10:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Do you know what this process is or does?
C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe

If not then submit the file for a scan at Jotti.

>>> Run Jotti's malware scan: Please copy this line (in bold):
C:\Documents and Settings\Ryan\My Documents\Downloads\5gwls59r.exe
  • Go to Jotti's malware scan and click the Browse button,
  • A window will open, right-click in the File name field and choose Paste.
  • Click the Submit button and let the scan run uninterrupted.
  • At the end right-click the Permalink button and choose "Copy the link". Posted Image
  • Open Notepad (Start => All Programs => Accessories) and click "Edition" => "Paste".
Please copy and paste these Permalink in your next reply.
If Jotti is busy, please go to http://www.virustotal.com

If found to be bad stop the process and delete the file.

===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please let me know what problem persists.

#6 R_P_M

R_P_M
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 09 July 2012 - 05:14 AM

Hi nasdaq,

I believe that was the name of GMER's downloaded file name.

However, I should also inform you - since I last posted the fresh logs, the rootkit has now taken over - Windows will not boot, giving a BSOD about registry hive files being corrupt or missing (in ALL possible boot options - Safe Mode, SafeMode & Networking, Normal, and Last Good Configuration).

I'm currently away on a trip until Wednesday afternoon, so I don't have access to the infected machine (left it behind, as it did this before leaving for the airport this morning).

If it ever starts again, I'll give it a whirl, but so far it's not looking good I'm afraid.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:59 AM

Posted 09 July 2012 - 09:43 AM

Place a request for help in this topic.
http://www.bleepingcomputer.com/forums/topic298500.html

Someone will help you with this BSOD.

#8 R_P_M

R_P_M
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 09 July 2012 - 06:37 PM

Hi nasdaq,

I clicked the link you gave me, and recieved the following:

[#10342] We could not determine which forum this topic is in.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:59 AM

Posted 10 July 2012 - 07:49 AM

Log in then try the link.

#10 R_P_M

R_P_M
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 10 July 2012 - 08:34 AM

Hi Nasdaq,

I logged in, retried the link, and got the same result: Error #10342. Is there a manual method I could follow? To the topic, I mean.

Regards,
Ryan

#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:59 AM

Posted 10 July 2012 - 08:43 AM

I posted a request for help in the forum.

Someone will get back to me or answer in this topic.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:59 AM

Posted 10 July 2012 - 03:21 PM

Hello R_P_M, do you have an XP CD at hand?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 R_P_M

R_P_M
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 10 July 2012 - 08:03 PM

Hi Elise,

Yes I do have a copy of Windows XP SP2 disk - although my PC was running SP3 before it stopped.

Thank you again Nasdaq - I don't know why I couldn't access the topic from the provided link.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,205 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:08:59 AM

Posted 11 July 2012 - 01:46 AM

  • Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.

  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
  • Your PC should now boot from your XP-CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.

  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • When prompted to choose a windows installation, type 1 and press enter.
  • When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.

  • A command prompt will open
Type chkdsk /r and press enter.

Let the disk check run unhindered. Note, this may take a long time.
When done, type exit and press enter to restart the computer and let me know if you can get in windows now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 R_P_M

R_P_M
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:59 PM

Posted 12 July 2012 - 12:32 AM

Hi Elise,

I am trying the method you've given me - however, it doesn't seem to work on BOOTCAMP (OS X) partitioned machines. As my Macbook Pro is dual boot it doesn't work the same as a solely Windows HDD. Can you recommend another method of action that cqan work on such a set-up?

I can successfully boot into OS X - but not into Windows. I am thinking about just removing the hard drive altogether, but only as an absolute last resort.

Ryan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users