Root Kit....Zero Access

Page 1 of 11 1, 2, 3 ... 9, 10, 11  Next

View previous topic View next topic Go down

Root Kit....Zero Access

Post by JonEJet on Wed 30 May 2012, 3:26 am

Having problems with the laptop. Tried running combo fix, but it won't run, It keeps wanting me to reboot the computer.

Says I have a Root Kit, Zero Access.

Please help

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Gabethebabe on Wed 30 May 2012, 6:13 pm

Hi there JonEJet!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:
  • Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  • Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
  • I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  • Stick with me till the end. If your computer starts running better, doesn´t mean it is clean yet!

====================

OK, so Zero Access is a nasty piece of work.

Normally combofix should be capable of removing it, I understand that it enters a reboot loop that does not end? We´re going to have and try some other things, then

Please download Zero Access Removal tool by Symantec from here and save it to your desktop.

  • Close all programs and doubleclick FixZeroAccess.exe to run the tool.
  • Accept the EULA and click Proceed
  • Allow the tool to restart your computer
  • After restarting it should provide you with a report
  • Please let me know what was the result.

As a matter of fact, since this is the first time I work with this tool, let me know if it saves a report to your desktop.

====================

After this, reboot your computer and try running ComboFix again.


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Thu 31 May 2012, 1:34 am

Gabe,

First, I'd like to thank you for spending a little time helping me try to fix my computer. Your help is greatly appreciated.

So.....I downloaded, and ran the Zero Access Fix Tool. Similar to Combo Fix, it immediately shut down, and re booted my system. After re start, it ask me to run Zero Access again, which I did. It didn't seem like it ever really "scanned" my system, if that's what the tool does in fact do. Very quickly, a box popped up indicating there were no infections found.

I then ran Combo Fix again, per your instructions, and once again I found myself in the same reboot loop.

I saved Zero Access to my desktop, but there is no report to show to you.

Ugh. What now?

Thanks

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Gabethebabe on Thu 31 May 2012, 1:37 am

Lets try two other tools:

  • Download TDSSKiller by Kaspersky from here and save it to your desktop
  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
  • The report can also be found in the root of your Windows drive (most likely C:\).

====================

Please download aswMBR by Alwil Software from here and save it to your desktop.

  • Double click aswMBR.exe to run the tool
  • Click the Scan button to start the scan
  • Don´t panic if you see any **Rootkit** entries. The tool sometimes produces false alarms
  • Once the scan finishes click Save log to save the log to your desktop
  • Copy and paste the contents of this log (aswMBR.txt) into your next reply.


Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Thu 31 May 2012, 2:04 am

10:55:57.0670 3820 TDSS rootkit removing tool 2.7.36.0 May 21 2012 16:40:16
10:55:58.0092 3820 ============================================================
10:55:58.0092 3820 Current date / time: 2012/05/30 10:55:58.0092
10:55:58.0092 3820 SystemInfo:
10:55:58.0092 3820
10:55:58.0092 3820 OS Version: 6.0.6001 ServicePack: 1.0
10:55:58.0092 3820 Product type: Workstation
10:55:58.0092 3820 ComputerName: JONEJET-PC
10:55:58.0093 3820 UserName: JonEJet
10:55:58.0093 3820 Windows directory: C:\Windows
10:55:58.0093 3820 System windows directory: C:\Windows
10:55:58.0093 3820 Processor architecture: Intel x86
10:55:58.0093 3820 Number of processors: 2
10:55:58.0093 3820 Page size: 0x1000
10:55:58.0093 3820 Boot type: Normal boot
10:55:58.0093 3820 ============================================================
10:56:04.0989 3820 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
10:56:04.0993 3820 ============================================================
10:56:04.0993 3820 \Device\Harddisk0\DR0:
10:56:04.0993 3820 MBR partitions:
10:56:04.0993 3820 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2EE800, BlocksNum 0xDCA4800
10:56:04.0993 3820 ============================================================
10:56:05.0053 3820 C: <-> \Device\Harddisk0\DR0\Partition0
10:56:05.0053 3820 ============================================================
10:56:05.0053 3820 Initialize success
10:56:05.0053 3820 ============================================================
10:56:07.0938 0300 ============================================================
10:56:07.0938 0300 Scan started
10:56:07.0938 0300 Mode: Manual;
10:56:07.0938 0300 ============================================================
10:56:12.0627 0300 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
10:56:12.0636 0300 ACPI - ok
10:56:12.0734 0300 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
10:56:12.0747 0300 adp94xx - ok
10:56:12.0794 0300 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
10:56:12.0801 0300 adpahci - ok
10:56:12.0853 0300 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
10:56:12.0856 0300 adpu160m - ok
10:56:12.0908 0300 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
10:56:12.0912 0300 adpu320 - ok
10:56:12.0973 0300 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll
10:56:12.0975 0300 AeLookupSvc - ok
10:56:13.0072 0300 AFD (48eb99503533c27ac6135648e5474457) C:\Windows\system32\drivers\afd.sys
10:56:13.0078 0300 AFD - ok
10:56:13.0128 0300 AgereModemAudio (39e435c90c9c4f780fa0ed05ca3c3a1b) C:\Windows\system32\agrsmsvc.exe
10:56:13.0130 0300 AgereModemAudio - ok
10:56:14.0078 0300 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\Windows\system32\DRIVERS\AGRSM.sys
10:56:14.0132 0300 AgereSoftModem - ok
10:56:14.0179 0300 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
10:56:14.0183 0300 agp440 - ok
10:56:14.0824 0300 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
10:56:14.0828 0300 aic78xx - ok
10:56:14.0869 0300 ALG (a1545b731579895d8cc44fc0481c1192) C:\Windows\System32\alg.exe
10:56:14.0873 0300 ALG - ok
10:56:14.0923 0300 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
10:56:14.0926 0300 aliide - ok
10:56:15.0324 0300 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
10:56:15.0326 0300 amdagp - ok
10:56:15.0343 0300 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
10:56:15.0345 0300 amdide - ok
10:56:15.0392 0300 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
10:56:15.0394 0300 AmdK7 - ok
10:56:15.0425 0300 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
10:56:15.0427 0300 AmdK8 - ok
10:56:15.0546 0300 AntiVirSchedulerService (b4837fe56d76b2e9ea90e5365cf6a2be) C:\Program Files\Avira\AntiVir Desktop\sched.exe
10:56:17.0217 0300 AntiVirSchedulerService - ok
10:56:18.0035 0300 AntiVirService (df5a3016052755c910a206058b4a1729) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
10:56:18.0043 0300 AntiVirService - ok
10:56:18.0103 0300 Appinfo (c6d704c7f0434dc791aac37cac4b6e14) C:\Windows\System32\appinfo.dll
10:56:18.0106 0300 Appinfo - ok
10:56:18.0178 0300 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
10:56:18.0180 0300 arc - ok
10:56:18.0247 0300 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
10:56:18.0249 0300 arcsas - ok
10:56:18.0283 0300 aswFsBlk (0ae43c6c411254049279c2ee55630f95) C:\Windows\system32\drivers\aswFsBlk.sys
10:56:18.0285 0300 aswFsBlk - ok
10:56:18.0330 0300 aswMonFlt (6693141560b1615d8dccf0d8eb00087e) C:\Windows\system32\drivers\aswMonFlt.sys
10:56:18.0332 0300 aswMonFlt - ok
10:56:18.0349 0300 aswRdr (da12626fd9a67f4e917e2f2fbe1e1764) C:\Windows\system32\drivers\aswRdr.sys
10:56:18.0350 0300 aswRdr - ok
10:56:18.0443 0300 aswSnx (dcb199b967375753b5019ec15f008f53) C:\Windows\system32\drivers\aswSnx.sys
10:56:18.0455 0300 aswSnx - ok
10:56:18.0503 0300 aswSP (b32873e5a1443c0a1e322266e203bf10) C:\Windows\system32\drivers\aswSP.sys
10:56:18.0510 0300 aswSP - ok
10:56:18.0535 0300 aswTdi (6ff544175a9180c5d88534d3d9c9a9f7) C:\Windows\system32\drivers\aswTdi.sys
10:56:18.0537 0300 aswTdi - ok
10:56:18.0593 0300 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
10:56:18.0595 0300 AsyncMac - ok
10:56:18.0628 0300 atapi (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
10:56:18.0629 0300 atapi - ok
10:56:18.0699 0300 AudioEndpointBuilder (42076e29aafa0830a2c5d4e310f58dd1) C:\Windows\System32\Audiosrv.dll
10:56:18.0707 0300 AudioEndpointBuilder - ok
10:56:18.0718 0300 Audiosrv (42076e29aafa0830a2c5d4e310f58dd1) C:\Windows\System32\Audiosrv.dll
10:56:18.0722 0300 Audiosrv - ok
10:56:18.0803 0300 avast! Antivirus (4041d31508a2a084dfb42c595854090f) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
10:56:18.0804 0300 avast! Antivirus - ok
10:56:18.0842 0300 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\Windows\system32\DRIVERS\avgntflt.sys
10:56:18.0844 0300 avgntflt - ok
10:56:18.0888 0300 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\Windows\system32\DRIVERS\avipbb.sys
10:56:18.0891 0300 avipbb - ok
10:56:19.0049 0300 BBSvc (825f81a6f7dd073509db101f0ba6dc59) C:\Program Files\Microsoft\BingBar\BBSvc.EXE
10:56:19.0054 0300 BBSvc - ok
10:56:19.0112 0300 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
10:56:19.0113 0300 Beep - ok
10:56:19.0274 0300 BITS (02ed7b4dbc2a3232a389106da7515c3d) C:\Windows\system32\qmgr.dll
10:56:19.0295 0300 BITS - ok
10:56:19.0305 0300 blbdrive - ok
10:56:19.0349 0300 bowser (8153396d5551276227fa146900f734e6) C:\Windows\system32\DRIVERS\bowser.sys
10:56:19.0352 0300 bowser - ok
10:56:19.0401 0300 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
10:56:19.0403 0300 BrFiltLo - ok
10:56:19.0419 0300 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
10:56:19.0421 0300 BrFiltUp - ok
10:56:19.0448 0300 Browser (a3629a0c4226f9e9c72faaeebc3ad33c) C:\Windows\System32\browser.dll
10:56:19.0451 0300 Browser - ok
10:56:19.0474 0300 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
10:56:19.0477 0300 Brserid - ok
10:56:19.0500 0300 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
10:56:19.0504 0300 BrSerWdm - ok
10:56:19.0529 0300 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
10:56:19.0530 0300 BrUsbMdm - ok
10:56:19.0542 0300 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
10:56:19.0544 0300 BrUsbSer - ok
10:56:19.0568 0300 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
10:56:19.0571 0300 BTHMODEM - ok
10:56:19.0693 0300 catchme - ok
10:56:19.0751 0300 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
10:56:19.0754 0300 cdfs - ok
10:56:19.0801 0300 CertPropSvc (87c2d0377b23e2d8a41093c2f5fb1a5b) C:\Windows\System32\certprop.dll
10:56:19.0804 0300 CertPropSvc - ok
10:56:19.0861 0300 CFSvcs (c82162949bba6cc5d006c7bd008f3cf1) C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
10:56:19.0864 0300 CFSvcs - ok
10:56:19.0885 0300 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
10:56:19.0888 0300 circlass - ok
10:56:19.0961 0300 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
10:56:19.0969 0300 CLFS - ok
10:56:20.0042 0300 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
10:56:20.0047 0300 clr_optimization_v2.0.50727_32 - ok
10:56:20.0179 0300 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
10:56:20.0184 0300 clr_optimization_v4.0.30319_32 - ok
10:56:20.0252 0300 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
10:56:20.0254 0300 CmBatt - ok
10:56:20.0302 0300 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
10:56:20.0304 0300 cmdide - ok
10:56:20.0322 0300 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
10:56:20.0324 0300 Compbatt - ok
10:56:20.0336 0300 COMSysApp - ok
10:56:20.0359 0300 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
10:56:20.0362 0300 crcdisk - ok
10:56:20.0388 0300 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
10:56:20.0390 0300 Crusoe - ok
10:56:20.0452 0300 CryptSvc (6de363f9f99334514c46aec02d3e3678) C:\Windows\system32\cryptsvc.dll
10:56:20.0456 0300 CryptSvc - ok
10:56:20.0629 0300 cvhsvc (72794d112cbaff3bc0c29bf7350d4741) C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
10:56:20.0637 0300 cvhsvc - ok
10:56:20.0681 0300 CWMonitor - ok
10:56:20.0780 0300 DcomLaunch (301ae00e12408650baddc04dbc832830) C:\Windows\system32\rpcss.dll
10:56:20.0798 0300 DcomLaunch - ok
10:56:20.0857 0300 DfsC (a3e9fa213f443ac77c7746119d13feec) C:\Windows\system32\Drivers\dfsc.sys
10:56:20.0858 0300 DfsC - ok
10:56:21.0221 0300 DFSR (fa3463f25f9cc9c3bcf1e7912feff099) C:\Windows\system32\DFSR.exe
10:56:21.0274 0300 DFSR - ok
10:56:21.0493 0300 Dhcp (43a988a9c10333476cb5fb667cbd629d) C:\Windows\System32\dhcpcsvc.dll
10:56:21.0501 0300 Dhcp - ok
10:56:21.0548 0300 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
10:56:21.0550 0300 disk - ok
10:56:21.0610 0300 Dnscache (4805d9a6d281c7a7defd9094dec6af7d) C:\Windows\System32\dnsrslvr.dll
10:56:21.0616 0300 Dnscache - ok
10:56:21.0669 0300 dot3svc (5af620a08c614e24206b79e8153cf1a8) C:\Windows\System32\dot3svc.dll
10:56:21.0677 0300 dot3svc - ok
10:56:21.0735 0300 DPS (a622e888f8aa2f6b49e9bc466f0e5def) C:\Windows\system32\dps.dll
10:56:21.0743 0300 DPS - ok
10:56:21.0786 0300 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
10:56:21.0788 0300 drmkaud - ok
10:56:21.0873 0300 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
10:56:21.0879 0300 DXGKrnl - ok
10:56:21.0937 0300 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
10:56:21.0941 0300 E1G60 - ok
10:56:22.0001 0300 EapHost (c0b95e40d85cd807d614e264248a45b9) C:\Windows\System32\eapsvc.dll
10:56:22.0003 0300 EapHost - ok
10:56:22.0065 0300 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
10:56:22.0069 0300 Ecache - ok
10:56:22.0142 0300 ehRecvr (9be3744d295a7701eb425332014f0797) C:\Windows\ehome\ehRecvr.exe
10:56:22.0149 0300 ehRecvr - ok
10:56:22.0180 0300 ehSched (ad1870c8e5d6dd340c829e6074bf3c3f) C:\Windows\ehome\ehsched.exe
10:56:22.0184 0300 ehSched - ok
10:56:22.0204 0300 ehstart (c27c4ee8926e74aa72efcab24c5242c3) C:\Windows\ehome\ehstart.dll
10:56:22.0205 0300 ehstart - ok
10:56:22.0281 0300 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
10:56:22.0289 0300 elxstor - ok
10:56:22.0387 0300 EMDMgmt (70b1a86df0c8ead17d2bc332edae2c7c) C:\Windows\system32\emdmgmt.dll
10:56:22.0403 0300 EMDMgmt - ok
10:56:22.0503 0300 EventSystem (3cb3343d720168b575133a0a20dc2465) C:\Windows\system32\es.dll
10:56:22.0513 0300 EventSystem - ok
10:56:22.0584 0300 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
10:56:22.0588 0300 exfat - ok
10:56:22.0627 0300 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
10:56:22.0632 0300 fastfat - ok
10:56:22.0683 0300 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
10:56:22.0685 0300 fdc - ok
10:56:22.0706 0300 fdPHost (6629b5f0e98151f4afdd87567ea32ba3) C:\Windows\system32\fdPHost.dll
10:56:22.0710 0300 fdPHost - ok
10:56:22.0739 0300 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll
10:56:22.0743 0300 FDResPub - ok
10:56:22.0769 0300 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
10:56:22.0772 0300 FileInfo - ok
10:56:22.0801 0300 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
10:56:22.0803 0300 Filetrace - ok
10:56:22.0833 0300 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
10:56:22.0835 0300 flpydisk - ok
10:56:22.0875 0300 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
10:56:22.0881 0300 FltMgr - ok
10:56:22.0971 0300 FontCache3.0.0.0 (c9be08664611ddaf98e2331e9288b00b) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
10:56:22.0973 0300 FontCache3.0.0.0 - ok
10:56:23.0865 0300 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
10:56:23.0943 0300 Fs_Rec - ok
10:56:24.0143 0300 FwLnk (cbc22823628544735625b280665e434e) C:\Windows\system32\DRIVERS\FwLnk.sys
10:56:24.0145 0300 FwLnk - ok
10:56:24.0173 0300 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
10:56:24.0177 0300 gagp30kx - ok
10:56:24.0377 0300 GameConsoleService (01a5829dd261b4f3dd66d7e9f9b973f5) C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
10:56:24.0383 0300 GameConsoleService - ok
10:56:24.0678 0300 GoogleDesktopManager (c95c07ef63811d1fef85d0c584b1c6ad) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
10:56:24.0708 0300 GoogleDesktopManager - ok
10:56:24.0910 0300 gpsvc (d9f1113d9401185245573350712f92fc) C:\Windows\System32\gpsvc.dll
10:56:24.0926 0300 gpsvc - ok
10:56:25.0019 0300 gupdate1caa3b3b7341e00 (626a24ed1228580b9518c01930936df9) C:\Program Files\Google\Update\GoogleUpdate.exe
10:56:25.0020 0300 gupdate1caa3b3b7341e00 - ok
10:56:25.0027 0300 gupdatem (626a24ed1228580b9518c01930936df9) C:\Program Files\Google\Update\GoogleUpdate.exe
10:56:25.0029 0300 gupdatem - ok
10:56:25.0073 0300 gusvc (751c1d2ca2abf4a9f5a6b8d7d45b907c) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
10:56:25.0078 0300 gusvc - ok
10:56:25.0163 0300 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
10:56:25.0169 0300 HdAudAddService - ok
10:56:25.0194 0300 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
10:56:25.0196 0300 HDAudBus - ok
10:56:25.0237 0300 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
10:56:25.0239 0300 HidBth - ok
10:56:25.0282 0300 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
10:56:25.0285 0300 HidIr - ok
10:56:25.0335 0300 hidserv (8fa640195279ace21bea91396a0054fc) C:\Windows\System32\hidserv.dll
10:56:25.0340 0300 hidserv - ok
10:56:25.0405 0300 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys
10:56:25.0407 0300 HidUsb - ok
10:56:25.0449 0300 hkmsvc (d8ad255b37da92434c26e4876db7d418) C:\Windows\system32\kmsvc.dll
10:56:25.0456 0300 hkmsvc - ok
10:56:25.0501 0300 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
10:56:25.0504 0300 HpCISSs - ok
10:56:25.0575 0300 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys
10:56:25.0580 0300 HTTP - ok
10:56:25.0631 0300 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
10:56:25.0633 0300 i2omp - ok
10:56:25.0703 0300 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
10:56:25.0704 0300 i8042prt - ok
10:56:25.0793 0300 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
10:56:25.0799 0300 iaStorV - ok
10:56:25.0863 0300 IDriverT (daf66902f08796f9c694901660e5a64a) C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
10:56:25.0868 0300 IDriverT - ok
10:56:26.0338 0300 idsvc (7b630acaed64fef0c3e1cf255cb56686) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
10:56:26.0361 0300 idsvc - ok
10:56:26.0727 0300 igfx (038815297078d236d8cc064c295a74c6) C:\Windows\system32\DRIVERS\igdkmd32.sys
10:56:26.0758 0300 igfx - ok
10:56:26.0923 0300 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
10:56:26.0925 0300 iirsp - ok
10:56:27.0010 0300 IKEEXT (a3bc480a2bf8aa8e4dabd2d5dce0afac) C:\Windows\System32\ikeext.dll
10:56:27.0021 0300 IKEEXT - ok
10:56:27.0237 0300 IntcAzAudAddService (b84732d9f8459abf6323d28a3270dc19) C:\Windows\system32\drivers\RTKVHDA.sys
10:56:27.0277 0300 IntcAzAudAddService - ok
10:56:27.0465 0300 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
10:56:27.0467 0300 intelide - ok
10:56:27.0518 0300 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
10:56:27.0520 0300 intelppm - ok
10:56:27.0552 0300 IO_Memory - ok
10:56:27.0593 0300 IPBusEnum (9ac218c6e6105477484c6fdbe7d409a4) C:\Windows\system32\ipbusenum.dll
10:56:27.0600 0300 IPBusEnum - ok
10:56:27.0647 0300 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
10:56:27.0650 0300 IpFilterDriver - ok
10:56:27.0737 0300 iphlpsvc (6a35d233693edc29a12742049bc5e37f) C:\Windows\System32\iphlpsvc.dll
10:56:27.0746 0300 iphlpsvc - ok
10:56:27.0758 0300 IpInIp - ok
10:56:27.0799 0300 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
10:56:27.0801 0300 IPMIDRV - ok
10:56:27.0834 0300 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
10:56:27.0836 0300 IPNAT - ok
10:56:27.0852 0300 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
10:56:27.0853 0300 IRENUM - ok
10:56:27.0878 0300 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
10:56:27.0881 0300 isapnp - ok
10:56:27.0949 0300 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
10:56:27.0952 0300 iScsiPrt - ok
10:56:27.0971 0300 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
10:56:27.0973 0300 iteatapi - ok
10:56:28.0004 0300 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
10:56:28.0006 0300 iteraid - ok
10:56:28.0044 0300 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
10:56:28.0045 0300 kbdclass - ok
10:56:28.0086 0300 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
10:56:28.0088 0300 kbdhid - ok
10:56:28.0123 0300 KeyIso (a911ecac81f94adeafbe8e3f7873edb0) C:\Windows\system32\lsass.exe
10:56:28.0126 0300 KeyIso - ok
10:56:28.0164 0300 KR10I (e8ca038f51f7761bd6e3a3b0b8014263) C:\Windows\system32\drivers\kr10i.sys
10:56:28.0169 0300 KR10I - ok
10:56:28.0225 0300 KR10N (6a4adb9186dd0e114e623daf57e42b31) C:\Windows\system32\drivers\kr10n.sys
10:56:28.0230 0300 KR10N - ok
10:56:28.0300 0300 KR3NPXP (485e005cd51ff502fb16483eb4b69c17) C:\Windows\system32\drivers\kr3npxp.sys
10:56:28.0311 0300 KR3NPXP - ok
10:56:28.0375 0300 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
10:56:28.0381 0300 KSecDD - ok
10:56:28.0467 0300 KtmRm (8078f8f8f7a79e2e6b494523a828c585) C:\Windows\system32\msdtckrm.dll
10:56:28.0475 0300 KtmRm - ok
10:56:28.0529 0300 LanmanServer (1925e63c91cf1610ae41bfd539062079) C:\Windows\System32\srvsvc.dll
10:56:28.0538 0300 LanmanServer - ok
10:56:28.0598 0300 LanmanWorkstation (2ae2e1628c5d3f1c0a46a67c9fa1df15) C:\Windows\System32\wkssvc.dll
10:56:28.0609 0300 LanmanWorkstation - ok
10:56:28.0651 0300 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
10:56:28.0654 0300 lltdio - ok
10:56:28.0696 0300 lltdsvc (2d5a428872f1442631d0959a34abff63) C:\Windows\System32\lltdsvc.dll
10:56:28.0705 0300 lltdsvc - ok
10:56:28.0745 0300 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll
10:56:28.0757 0300 lmhosts - ok
10:56:28.0816 0300 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
10:56:28.0819 0300 LSI_FC - ok
10:56:28.0848 0300 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
10:56:28.0851 0300 LSI_SAS - ok
10:56:28.0878 0300 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
10:56:28.0882 0300 LSI_SCSI - ok
10:56:28.0940 0300 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
10:56:28.0943 0300 luafv - ok
10:56:28.0980 0300 lxdu_device - ok
10:56:29.0035 0300 Mcx2Svc (aef9babb8a506bc4ce0451a64aaded46) C:\Windows\system32\Mcx2Svc.dll
10:56:29.0042 0300 Mcx2Svc - ok
10:56:29.0261 0300 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
10:56:29.0264 0300 megasas - ok
10:56:29.0298 0300 MMCSS (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
10:56:29.0307 0300 MMCSS - ok
10:56:29.0336 0300 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
10:56:29.0339 0300 Modem - ok
10:56:29.0374 0300 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
10:56:29.0376 0300 monitor - ok
10:56:29.0417 0300 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
10:56:29.0419 0300 mouclass - ok
10:56:29.0437 0300 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
10:56:29.0439 0300 mouhid - ok
10:56:29.0479 0300 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
10:56:29.0482 0300 MountMgr - ok
10:56:29.0543 0300 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
10:56:29.0546 0300 mpio - ok
10:56:29.0579 0300 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
10:56:29.0586 0300 mpsdrv - ok
10:56:29.0639 0300 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
10:56:29.0641 0300 Mraid35x - ok
10:56:29.0685 0300 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
10:56:29.0689 0300 MRxDAV - ok
10:56:29.0745 0300 mrxsmb (5734a0f2be7e495f7d3ed6efd4b9f5a1) C:\Windows\system32\DRIVERS\mrxsmb.sys
10:56:29.0752 0300 mrxsmb - ok
10:56:29.0808 0300 mrxsmb10 (6b5fa5adfacac9dbbe0991f4566d7d55) C:\Windows\system32\DRIVERS\mrxsmb10.sys
10:56:29.0814 0300 mrxsmb10 - ok
10:56:29.0830 0300 mrxsmb20 (5c80d8159181c7abf1b14ba703b01e0b) C:\Windows\system32\DRIVERS\mrxsmb20.sys
10:56:29.0834 0300 mrxsmb20 - ok
10:56:29.0885 0300 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
10:56:29.0888 0300 msahci - ok
10:56:29.0931 0300 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
10:56:29.0933 0300 msdsm - ok
10:56:29.0972 0300 MSDTC (fd7520cc3a80c5fc8c48852bb24c6ded) C:\Windows\System32\msdtc.exe
10:56:29.0978 0300 MSDTC - ok
10:56:30.0007 0300 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
10:56:30.0009 0300 Msfs - ok
10:56:30.0024 0300 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
10:56:30.0026 0300 msisadrv - ok
10:56:30.0061 0300 MSiSCSI (85466c0757a23d9a9aecdc0755203cb2) C:\Windows\system32\iscsiexe.dll
10:56:30.0066 0300 MSiSCSI - ok
10:56:30.0072 0300 msiserver - ok
10:56:30.0098 0300 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
10:56:30.0099 0300 MSKSSRV - ok
10:56:30.0156 0300 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
10:56:30.0158 0300 MSPCLOCK - ok
10:56:30.0165 0300 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
10:56:30.0167 0300 MSPQM - ok
10:56:30.0209 0300 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
10:56:30.0213 0300 MsRPC - ok
10:56:30.0251 0300 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
10:56:30.0253 0300 mssmbios - ok
10:56:30.0271 0300 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
10:56:30.0273 0300 MSTEE - ok
10:56:30.0299 0300 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
10:56:30.0301 0300 Mup - ok
10:56:30.0368 0300 napagent (c43b25863fbd65b6d2a142af3ae320ca) C:\Windows\system32\qagentRT.dll
10:56:30.0380 0300 napagent - ok
10:56:30.0453 0300 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
10:56:30.0458 0300 NativeWifiP - ok
10:56:30.0545 0300 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys
10:56:30.0558 0300 NDIS - ok
10:56:30.0593 0300 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
10:56:30.0596 0300 NdisTapi - ok
10:56:30.0614 0300 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
10:56:30.0616 0300 Ndisuio - ok
10:56:30.0639 0300 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
10:56:30.0643 0300 NdisWan - ok
10:56:30.0665 0300 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
10:56:30.0668 0300 NDProxy - ok
10:56:30.0688 0300 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
10:56:30.0690 0300 NetBIOS - ok
10:56:30.0728 0300 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
10:56:30.0734 0300 netbt - ok
10:56:30.0767 0300 Netlogon (a911ecac81f94adeafbe8e3f7873edb0) C:\Windows\system32\lsass.exe
10:56:30.0772 0300 Netlogon - ok
10:56:30.0823 0300 Netman (c8052711daecc48b982434c5116ca401) C:\Windows\System32\netman.dll
10:56:30.0838 0300 Netman - ok
10:56:30.0897 0300 netprofm (2ef3bbe22e5a5acd1428ee387a0d0172) C:\Windows\System32\netprofm.dll
10:56:30.0909 0300 netprofm - ok
10:56:30.0980 0300 NetTcpPortSharing (0ad5876ef4e9eb77c8f93eb5b2fff386) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
10:56:30.0985 0300 NetTcpPortSharing - ok
10:56:31.0028 0300 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
10:56:31.0031 0300 nfrd960 - ok
10:56:31.0068 0300 NlaSvc (2997b15415f9bbe05b5a4c1c85e0c6a2) C:\Windows\System32\nlasvc.dll
10:56:31.0077 0300 NlaSvc - ok
10:56:31.0105 0300 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
10:56:31.0108 0300 Npfs - ok
10:56:31.0137 0300 nsi (8bb86f0c7eea2bded6fe095d0b4ca9bd) C:\Windows\system32\nsisvc.dll
10:56:31.0144 0300 nsi - ok
10:56:31.0162 0300 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
10:56:31.0165 0300 nsiproxy - ok
10:56:31.0306 0300 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
10:56:31.0325 0300 Ntfs - ok
10:56:31.0358 0300 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
10:56:31.0360 0300 ntrigdigi - ok
10:56:31.0388 0300 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
10:56:31.0390 0300 Null - ok
10:56:31.0413 0300 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
10:56:31.0417 0300 nvraid - ok
10:56:31.0442 0300 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
10:56:31.0444 0300 nvstor - ok
10:56:31.0475 0300 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
10:56:31.0478 0300 nv_agp - ok
10:56:31.0485 0300 NwlnkFlt - ok
10:56:31.0495 0300 NwlnkFwd - ok
10:56:31.0651 0300 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
10:56:31.0661 0300 odserv - ok
10:56:31.0695 0300 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys
10:56:31.0697 0300 ohci1394 - ok
10:56:31.0775 0300 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
10:56:31.0780 0300 ose - ok
10:56:32.0321 0300 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
10:56:32.0484 0300 osppsvc - ok
10:56:32.0690 0300 p2pimsvc (5de1a3972fd3112c75eb17bdcf454169) C:\Windows\system32\p2psvc.dll
10:56:32.0709 0300 p2pimsvc - ok
10:56:32.0728 0300 p2psvc (5de1a3972fd3112c75eb17bdcf454169) C:\Windows\system32\p2psvc.dll
10:56:32.0738 0300 p2psvc - ok
10:56:32.0781 0300 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
10:56:32.0784 0300 Parport - ok
10:56:32.0810 0300 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
10:56:32.0814 0300 partmgr - ok
10:56:32.0831 0300 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
10:56:32.0833 0300 Parvdm - ok
10:56:32.0852 0300 PcaSvc (c6276ad11f4bb49b58aa1ed88537f14a) C:\Windows\System32\pcasvc.dll
10:56:32.0858 0300 PcaSvc - ok
10:56:32.0906 0300 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
10:56:32.0909 0300 pci - ok
10:56:32.0939 0300 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
10:56:32.0941 0300 pciide - ok
10:56:32.0982 0300 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\DRIVERS\pcmcia.sys
10:56:32.0988 0300 pcmcia - ok
10:56:33.0122 0300 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
10:56:33.0137 0300 PEAUTH - ok
10:56:33.0270 0300 pinger (6dbf2ac2bdaff355995ab25eccc4cfe1) C:\TOSHIBA\IVP\ISM\pinger.exe
10:56:33.0275 0300 pinger - ok
10:56:33.0439 0300 pla (b1689df169143f57053f795390c99db3) C:\Windows\system32\pla.dll
10:56:33.0478 0300 pla - ok
10:56:33.0636 0300 PlugPlay (78f975cb6d18265be6f492edb2d7bc7b) C:\Windows\system32\umpnpmgr.dll
10:56:33.0648 0300 PlugPlay - ok
10:56:33.0751 0300 PNRPAutoReg (5de1a3972fd3112c75eb17bdcf454169) C:\Windows\system32\p2psvc.dll
10:56:33.0767 0300 PNRPAutoReg - ok
10:56:33.0798 0300 PNRPsvc (5de1a3972fd3112c75eb17bdcf454169) C:\Windows\system32\p2psvc.dll
10:56:33.0814 0300 PNRPsvc - ok
10:56:33.0891 0300 PolicyAgent (47b8f37aa18b74d8c2e1bc1a7a2c8f8a) C:\Windows\System32\ipsecsvc.dll
10:56:33.0901 0300 PolicyAgent - ok
10:56:33.0970 0300 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
10:56:33.0973 0300 PptpMiniport - ok
10:56:34.0021 0300 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
10:56:34.0023 0300 Processor - ok
10:56:34.0079 0300 ProfSvc (b627e4fc8585e8843c5905d4d3587a90) C:\Windows\system32\profsvc.dll
10:56:34.0088 0300 ProfSvc - ok
10:56:34.0123 0300 ProtectedStorage (a911ecac81f94adeafbe8e3f7873edb0) C:\Windows\system32\lsass.exe
10:56:34.0126 0300 ProtectedStorage - ok
10:56:34.0158 0300 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
10:56:34.0162 0300 PSched - ok
10:56:34.0179 0300 PxHelp20 (f7bb4e7a7c02ab4a2672937e124e306e) C:\Windows\system32\Drivers\PxHelp20.sys
10:56:34.0181 0300 PxHelp20 - ok
10:56:34.0334 0300 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
10:56:34.0354 0300 ql2300 - ok
10:56:34.0387 0300 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
10:56:34.0390 0300 ql40xx - ok
10:56:34.0438 0300 QWAVE (e9ecae663f47e6cb43962d18ab18890f) C:\Windows\system32\qwave.dll
10:56:34.0449 0300 QWAVE - ok
10:56:34.0469 0300 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
10:56:34.0472 0300 QWAVEdrv - ok
10:56:34.0502 0300 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
10:56:34.0504 0300 RasAcd - ok
10:56:34.0537 0300 RasAuto (f6a452eb4ceadbb51c9e0ee6b3ecef0f) C:\Windows\System32\rasauto.dll
10:56:34.0545 0300 RasAuto - ok
10:56:34.0569 0300 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
10:56:34.0573 0300 Rasl2tp - ok
10:56:34.0609 0300 RasMan (6e7c284fc5c4ec07ad164d93810385a6) C:\Windows\System32\rasmans.dll
10:56:34.0619 0300 RasMan - ok
10:56:34.0643 0300 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
10:56:34.0646 0300 RasPppoe - ok
10:56:34.0682 0300 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
10:56:34.0685 0300 RasSstp - ok
10:56:34.0720 0300 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
10:56:34.0726 0300 rdbss - ok
10:56:34.0738 0300 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
10:56:34.0740 0300 RDPCDD - ok
10:56:34.0795 0300 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
10:56:34.0803 0300 rdpdr - ok
10:56:34.0811 0300 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
10:56:34.0813 0300 RDPENCDD - ok
10:56:34.0856 0300 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
10:56:34.0861 0300 RDPWD - ok
10:56:34.0895 0300 RemoteAccess (bcdd6b4804d06b1f7ebf29e53a57ece9) C:\Windows\System32\mprdim.dll
10:56:34.0901 0300 RemoteAccess - ok
10:56:34.0940 0300 RemoteRegistry (cc4e32400f3c7253400cf8f3f3a0b676) C:\Windows\system32\regsvc.dll
10:56:34.0947 0300 RemoteRegistry - ok
10:56:34.0974 0300 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe
10:56:34.0978 0300 RpcLocator - ok
10:56:35.0088 0300 RpcSs (301ae00e12408650baddc04dbc832830) C:\Windows\System32\rpcss.dll
10:56:35.0098 0300 RpcSs - ok
10:56:35.0131 0300 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
10:56:35.0134 0300 rspndr - ok
10:56:35.0183 0300 RTL8187B (67e7822975985016fdce01635fbdbbf9) C:\Windows\system32\DRIVERS\RTL8187B.sys
10:56:35.0187 0300 RTL8187B - ok
10:56:35.0223 0300 SamSs (a911ecac81f94adeafbe8e3f7873edb0) C:\Windows\system32\lsass.exe
10:56:35.0226 0300 SamSs - ok
10:56:35.0256 0300 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
10:56:35.0259 0300 sbp2port - ok
10:56:35.0292 0300 SCardSvr (11387e32642269c7e62e8b52c060b3c6) C:\Windows\System32\SCardSvr.dll
10:56:35.0299 0300 SCardSvr - ok
10:56:35.0369 0300 Schedule (7b587b8a6d4a99f79d2902d0385f29bd) C:\Windows\system32\schedsvc.dll
10:56:35.0386 0300 Schedule - ok
10:56:35.0412 0300 SCPolicySvc (87c2d0377b23e2d8a41093c2f5fb1a5b) C:\Windows\System32\certprop.dll
10:56:35.0414 0300 SCPolicySvc - ok
10:56:35.0456 0300 sdbus (bcca63a3d143938273a3158757389dc7) C:\Windows\system32\DRIVERS\sdbus.sys
10:56:35.0459 0300 sdbus - ok
10:56:35.0509 0300 SDRSVC (716313d9f6b0529d03f726d5aaf6f191) C:\Windows\System32\SDRSVC.dll
10:56:35.0519 0300 SDRSVC - ok
10:56:35.0723 0300 SeaPort (cc781378e7eda615d2cdca3b17829fa4) C:\Program Files\Microsoft\BingBar\SeaPort.EXE
10:56:35.0729 0300 SeaPort - ok
10:56:35.0755 0300 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
10:56:35.0757 0300 secdrv - ok
10:56:35.0773 0300 seclogon (fd5199d4d8a521005e4b5ee7fe00fa9b) C:\Windows\system32\seclogon.dll
10:56:35.0782 0300 seclogon - ok
10:56:35.0812 0300 SENS (a9bbab5759771e523f55563d6cbe140f) C:\Windows\system32\sens.dll
10:56:35.0821 0300 SENS - ok
10:56:35.0848 0300 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
10:56:35.0851 0300 Serenum - ok
10:56:35.0894 0300 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
10:56:35.0898 0300 Serial - ok
10:56:35.0934 0300 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
10:56:35.0937 0300 sermouse - ok
10:56:36.0351 0300 SessionEnv (d2193326f729b163125610dbf3e17d57) C:\Windows\system32\sessenv.dll
10:56:36.0364 0300 SessionEnv - ok
10:56:36.0392 0300 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
10:56:36.0395 0300 sffdisk - ok
10:56:36.0420 0300 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
10:56:36.0423 0300 sffp_mmc - ok
10:56:36.0440 0300 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
10:56:36.0444 0300 sffp_sd - ok
10:56:36.0466 0300 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
10:56:36.0468 0300 sfloppy - ok
10:56:36.0547 0300 Sftfs (d9b734638dd8dba9d59aad3189cd0fad) C:\Windows\system32\DRIVERS\Sftfslh.sys
10:56:36.0560 0300 Sftfs - ok
10:56:36.0678 0300 sftlist (cb73bc422c07fb611f194da18d1e7f36) C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
10:56:36.0690 0300 sftlist - ok
10:56:36.0729 0300 Sftplay (2f61bd46c0bff4eb36e1e359ca17bfc5) C:\Windows\system32\DRIVERS\Sftplaylh.sys
10:56:36.0734 0300 Sftplay - ok
10:56:36.0786 0300 Sftredir (518bac0179f94304f422696b47c0ec12) C:\Windows\system32\DRIVERS\Sftredirlh.sys
10:56:36.0788 0300 Sftredir - ok
10:56:36.0807 0300 Sftvol (747325236d88b3f05ffd27ff9ec711c5) C:\Windows\system32\DRIVERS\Sftvollh.sys
10:56:36.0809 0300 Sftvol - ok
10:56:36.0869 0300 sftvsa (a5812f0281ca5081bf696626f9bf324d) C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
10:56:36.0874 0300 sftvsa - ok
10:56:36.0937 0300 SharedAccess (e1499bd0ff76b1b2fbbf1af339d91165) C:\Windows\System32\ipnathlp.dll
10:56:36.0946 0300 SharedAccess - ok
10:56:36.0997 0300 ShellHWDetection (1e3fdb80e40a3ce645f229dfbdfb7694) C:\Windows\System32\shsvcs.dll
10:56:37.0007 0300 ShellHWDetection - ok
10:56:37.0030 0300 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
10:56:37.0033 0300 sisagp - ok
10:56:37.0063 0300 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
10:56:37.0065 0300 SiSRaid2 - ok
10:56:37.0084 0300 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
10:56:37.0088 0300 SiSRaid4 - ok
10:56:37.0403 0300 slsvc (0ba91e1358ad25236863039bb2609a2e) C:\Windows\system32\SLsvc.exe
10:56:37.0440 0300 slsvc - ok
10:56:37.0640 0300 SLUINotify (7c6dc44ca0bfa6291629ab764200d1d4) C:\Windows\system32\SLUINotify.dll
10:56:37.0648 0300 SLUINotify - ok
10:56:37.0684 0300 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
10:56:37.0688 0300 Smb - ok
10:56:37.0740 0300 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe
10:56:37.0748 0300 SNMPTRAP - ok
10:56:37.0784 0300 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
10:56:37.0787 0300 spldr - ok
10:56:37.0831 0300 Spooler (3665f79026a3f91fbca63f2c65a09b19) C:\Windows\System32\spoolsv.exe
10:56:37.0842 0300 Spooler - ok
10:56:37.0907 0300 srv (2252aef839b1093d16761189f45af885) C:\Windows\system32\DRIVERS\srv.sys
10:56:37.0916 0300 srv - ok
10:56:37.0984 0300 srv2 (b7ff59408034119476b00a81bb53d5d1) C:\Windows\system32\DRIVERS\srv2.sys
10:56:37.0990 0300 srv2 - ok
10:56:38.0030 0300 srvnet (2accc9b12af02030f531e6cca6f8b76e) C:\Windows\system32\DRIVERS\srvnet.sys
10:56:38.0036 0300 srvnet - ok
10:56:38.0080 0300 SSDPSRV (03d50b37234967433a5ea5ba72bc0b62) C:\Windows\System32\ssdpsrv.dll
10:56:38.0091 0300 SSDPSRV - ok
10:56:38.0127 0300 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
10:56:38.0130 0300 ssmdrv - ok
10:56:38.0180 0300 SstpSvc (6f1a32e7b7b30f004d9a20afadb14944) C:\Windows\system32\sstpsvc.dll
10:56:38.0189 0300 SstpSvc - ok
10:56:38.0282 0300 stisvc (7dd08a597bc56051f320da0baf69e389) C:\Windows\System32\wiaservc.dll
10:56:38.0298 0300 stisvc - ok
10:56:38.0329 0300 SVRPEDRV - ok
10:56:38.0361 0300 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
10:56:38.0363 0300 swenum - ok
10:56:38.0427 0300 swprv (b36c7cdb86f7f7a8e884479219766950) C:\Windows\System32\swprv.dll
10:56:38.0438 0300 swprv - ok
10:56:38.0492 0300 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
10:56:38.0494 0300 Symc8xx - ok
10:56:38.0522 0300 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
10:56:38.0524 0300 Sym_hi - ok
10:56:38.0556 0300 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
10:56:38.0558 0300 Sym_u3 - ok
10:56:38.0623 0300 SynTP (11f730bf0d0aa4fe7de7138a32a52422) C:\Windows\system32\DRIVERS\SynTP.sys
10:56:38.0628 0300 SynTP - ok
10:56:38.0716 0300 SysMain (8710a92d0024b03b5fb9540df1f71f1d) C:\Windows\system32\sysmain.dll
10:56:38.0736 0300 SysMain - ok
10:56:38.0788 0300 TabletInputService (2dca225eae15f42c0933e998ee0231c3) C:\Windows\System32\TabSvc.dll
10:56:38.0798 0300 TabletInputService - ok
10:56:38.0846 0300 TapiSrv (680916bb09ee0f3a6aca7c274b0d633f) C:\Windows\System32\tapisrv.dll
10:56:38.0860 0300 TapiSrv - ok
10:56:38.0890 0300 TBS (cb05822cd9cc6c688168e113c603dbe7) C:\Windows\System32\tbssvc.dll
10:56:38.0900 0300 TBS - ok
10:56:39.0032 0300 Tcpip (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\drivers\tcpip.sys
10:56:39.0049 0300 Tcpip - ok
10:56:39.0070 0300 Tcpip6 (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\DRIVERS\tcpip.sys
10:56:39.0079 0300 Tcpip6 - ok
10:56:39.0107 0300 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
10:56:39.0110 0300 tcpipreg - ok
10:56:39.0139 0300 tdcmdpst (1825bceb47bf41c5a9f0e44de82fc27a) C:\Windows\system32\DRIVERS\tdcmdpst.sys
10:56:39.0142 0300 tdcmdpst - ok
10:56:39.0162 0300 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
10:56:39.0165 0300 TDPIPE - ok
10:56:39.0188 0300 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
10:56:39.0191 0300 TDTCP - ok
10:56:39.0253 0300 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
10:56:39.0257 0300 tdx - ok
10:56:39.0296 0300 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
10:56:39.0299 0300 TermDD - ok
10:56:39.0371 0300 TermService (d605031e225aaccbceb5b76a4f1603a6) C:\Windows\System32\termsrv.dll
10:56:39.0388 0300 TermService - ok
10:56:39.0442 0300 Themes (1e3fdb80e40a3ce645f229dfbdfb7694) C:\Windows\system32\shsvcs.dll
10:56:39.0451 0300 Themes - ok
10:56:39.0476 0300 THREADORDER (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
10:56:39.0481 0300 THREADORDER - ok
10:56:39.0549 0300 tifm21 (e4c85c291ddb3dc5e4a2f227ca465ba6) C:\Windows\system32\drivers\tifm21.sys
10:56:39.0556 0300 tifm21 - ok
10:56:39.0666 0300 TNaviSrv (b351aa72eae95c4447a3c5329977f064) C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
10:56:39.0669 0300 TNaviSrv - ok
10:56:39.0722 0300 TODDSrv (d540858e65bfa6fded41ad2495ece344) C:\Windows\system32\TODDSrv.exe
10:56:39.0730 0300 TODDSrv - ok
10:56:39.0817 0300 TosCoSrv (6a54c28b53c6b50d333c8ee974c6b208) C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
10:56:39.0826 0300 TosCoSrv - ok
10:56:39.0924 0300 TOSHIBA Bluetooth Service (87843b2da99051bc66e2d6c211e3d6a4) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
10:56:39.0930 0300 TOSHIBA Bluetooth Service - ok
10:56:39.0952 0300 Tosrfcom - ok
10:56:40.0019 0300 tos_sps32 (1ea5f27c29405bf49799feca77186da9) C:\Windows\system32\DRIVERS\tos_sps32.sys
10:56:40.0027 0300 tos_sps32 - ok
10:56:40.0066 0300 TrkWks (ec74e77d0eb004bd3a809b5f8fb8c2ce) C:\Windows\System32\trkwks.dll
10:56:40.0075 0300 TrkWks - ok
10:56:40.0123 0300 TrustedInstaller (16613a1bad034d4ecf957af18b7c2ff5) C:\Windows\servicing\TrustedInstaller.exe
10:56:40.0124 0300 TrustedInstaller - ok
10:56:40.0154 0300 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
10:56:40.0156 0300 tssecsrv - ok
10:56:40.0211 0300 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
10:56:40.0213 0300 tunmp - ok
10:56:40.0242 0300 tunnel (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
10:56:40.0245 0300 tunnel - ok
10:56:40.0267 0300 TVALZ (521c5f39829875adf5466dd94c6282c7) C:\Windows\system32\DRIVERS\TVALZ_O.SYS
10:56:40.0270 0300 TVALZ - ok
10:56:40.0308 0300 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
10:56:40.0310 0300 uagp35 - ok
10:56:40.0371 0300 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
10:56:40.0376 0300 udfs - ok
10:56:40.0409 0300 UI0Detect (ecef404f62863755951e09c802c94ad5) C:\Windows\system32\UI0Detect.exe
10:56:40.0416 0300 UI0Detect - ok
10:56:40.0500 0300 UleadBurningHelper (332d341d92b933600d41953b08360dfb) C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
10:56:40.0504 0300 UleadBurningHelper - ok
10:56:40.0535 0300 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
10:56:40.0538 0300 uliagpkx - ok
10:56:40.0596 0300 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
10:56:40.0602 0300 uliahci - ok
10:56:40.0635 0300 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
10:56:40.0639 0300 UlSata - ok
10:56:40.0671 0300 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
10:56:40.0675 0300 ulsata2 - ok
10:56:40.0708 0300 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
10:56:40.0710 0300 umbus - ok
10:56:40.0766 0300 upnphost (68308183f4ae0be7bf8ecd07cb297999) C:\Windows\System32\upnphost.dll
10:56:40.0778 0300 upnphost - ok
10:56:40.0825 0300 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
10:56:40.0828 0300 usbccgp - ok
10:56:40.0851 0300 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
10:56:40.0854 0300 usbcir - ok
10:56:40.0909 0300 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
10:56:40.0914 0300 usbehci - ok
10:56:40.0946 0300 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
10:56:40.0949 0300 usbhub - ok
10:56:40.0969 0300 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
10:56:40.0971 0300 usbohci - ok
10:56:41.0007 0300 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
10:56:41.0009 0300 usbprint - ok
10:56:41.0067 0300 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
10:56:41.0070 0300 usbscan - ok
10:56:41.0088 0300 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
10:56:41.0090 0300 USBSTOR - ok
10:56:41.0124 0300 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
10:56:41.0126 0300 usbuhci - ok
10:56:41.0193 0300 usbvideo (0a6b81f01bc86399482e27e6fda7b33b) C:\Windows\system32\Drivers\usbvideo.sys
10:56:41.0197 0300 usbvideo - ok
10:56:41.0235 0300 UxSms (032a0acc3909ae7215d524e29d536797) C:\Windows\System32\uxsms.dll
10:56:41.0242 0300 UxSms - ok
10:56:41.0308 0300 vds (b13bc395b9d6116628f5af47e0802ac4) C:\Windows\System32\vds.exe
10:56:41.0325 0300 vds - ok
10:56:41.0352 0300 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
10:56:41.0355 0300 vga - ok
10:56:41.0394 0300 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
10:56:41.0396 0300 VgaSave - ok
10:56:41.0423 0300 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
10:56:41.0426 0300 viaagp - ok
10:56:41.0444 0300 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
10:56:41.0446 0300 ViaC7 - ok
10:56:41.0479 0300 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
10:56:41.0481 0300 viaide - ok
10:56:41.0520 0300 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
10:56:41.0522 0300 volmgr - ok
10:56:41.0580 0300 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
10:56:41.0585 0300 volmgrx - ok
10:56:41.0655 0300 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys
10:56:41.0658 0300 volsnap - ok
10:56:41.0683 0300 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
10:56:41.0685 0300 vsmraid - ok
10:56:41.0820 0300 VSS (d5fb73d19c46ade183f968e13f186b23) C:\Windows\system32\vssvc.exe
10:56:41.0852 0300 VSS - ok
10:56:41.0891 0300 W32Time (1cf9206966a8458cda9a8b20df8ab7d3) C:\Windows\system32\w32time.dll
10:56:41.0904 0300 W32Time - ok
10:56:41.0969 0300 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
10:56:41.0971 0300 WacomPen - ok
10:56:42.0015 0300 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
10:56:42.0019 0300 Wanarp - ok
10:56:42.0026 0300 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
10:56:42.0029 0300 Wanarpv6 - ok
10:56:42.0095 0300 wcncsvc (f3a5c2e1a6533192b070d06ecf6be796) C:\Windows\System32\wcncsvc.dll
10:56:42.0114 0300 wcncsvc - ok
10:56:42.0150 0300 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll
10:56:42.0160 0300 WcsPlugInService - ok
10:56:42.0182 0300 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
10:56:42.0184 0300 Wd - ok
10:56:42.0261 0300 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
10:56:42.0269 0300 Wdf01000 - ok
10:56:42.0297 0300 WdiServiceHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
10:56:42.0306 0300 WdiServiceHost - ok
10:56:42.0313 0300 WdiSystemHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
10:56:42.0320 0300 WdiSystemHost - ok
10:56:42.0365 0300 WebClient (cf9a5f41789b642db967021de06a2713) C:\Windows\System32\webclnt.dll
10:56:42.0376 0300 WebClient - ok
10:56:42.0419 0300 Wecsvc (ae3736e7e8892241c23e4ebbb7453b60) C:\Windows\system32\wecsvc.dll
10:56:42.0428 0300 Wecsvc - ok
10:56:42.0467 0300 wercplsupport (670ff720071ed741206d69bd995ea453) C:\Windows\System32\wercplsupport.dll
10:56:42.0474 0300 wercplsupport - ok
10:56:42.0529 0300 WerSvc (fd1965aaa112c6818a30ab02742d0461) C:\Windows\System32\WerSvc.dll
10:56:42.0538 0300 WerSvc - ok
10:56:42.0657 0300 WinDefend (4575aa12561c5648483403541d0d7f2b) C:\Program Files\Windows Defender\mpsvc.dll
10:56:42.0664 0300 WinDefend - ok
10:56:42.0673 0300 WinHttpAutoProxySvc - ok
10:56:42.0745 0300 Winmgmt (00b79a7c984678f24cf052e5beb3a2f5) C:\Windows\system32\wbem\WMIsvc.dll
10:56:42.0750 0300 Winmgmt - ok
10:56:42.0894 0300 WinRM (7cfe68bdc065e55aa5e8421607037511) C:\Windows\system32\WsmSvc.dll
10:56:42.0928 0300 WinRM - ok
10:56:43.0030 0300 Wlansvc (275f4346e569df56cfb95243bd6f6ff0) C:\Windows\System32\wlansvc.dll
10:56:43.0049 0300 Wlansvc - ok
10:56:43.0341 0300 wlidsvc (5144ae67d60ec653f97ddf3feed29e77) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
10:56:43.0382 0300 wlidsvc - ok
10:56:43.0578 0300 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
10:56:43.0580 0300 WmiAcpi - ok
10:56:43.0667 0300 wmiApSrv (aba4cf9f856d9a3a25f4ddd7690a6e9d) C:\Windows\system32\wbem\WmiApSrv.exe
10:56:43.0673 0300 wmiApSrv - ok
10:56:43.0807 0300 WMPNetworkSvc (3978704576a121a9204f8cc49a301a9b) C:\Program Files\Windows Media Player\wmpnetwk.exe
10:56:43.0835 0300 WMPNetworkSvc - ok
10:56:43.0866 0300 WPCSvc (5d94cd167751294962ba238d82dd1bb8) C:\Windows\System32\wpcsvc.dll
10:56:43.0883 0300 WPCSvc - ok
10:56:43.0912 0300 WPDBusEnum (396d406292b0cd26e3504ffe82784702) C:\Windows\system32\wpdbusenum.dll
10:56:43.0927 0300 WPDBusEnum - ok
10:56:43.0986 0300 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
10:56:43.0989 0300 WpdUsb - ok
10:56:44.0186 0300 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
10:56:44.0208 0300 WPFFontCache_v0400 - ok
10:56:44.0253 0300 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
10:56:44.0257 0300 ws2ifsl - ok
10:56:44.0303 0300 wscsvc (683dd16b590372f2c9661d277f35e49c) C:\Windows\system32\wscsvc.dll
10:56:44.0319 0300 wscsvc - ok
10:56:44.0330 0300 WSearch - ok
10:56:44.0636 0300 wuauserv (6298277b73c77fa99106b271a7525163) C:\Windows\system32\wuaueng.dll
10:56:44.0704 0300 wuauserv - ok
10:56:44.0907 0300 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
10:56:44.0911 0300 WUDFRd - ok
10:56:44.0951 0300 wudfsvc (575a4190d989f64732119e4114045a4f) C:\Windows\System32\WUDFSvc.dll
10:56:44.0967 0300 wudfsvc - ok
10:56:45.0033 0300 yukonwlh (1dd951cf8a69fa2bea82f3e3a811fa95) C:\Windows\system32\DRIVERS\yk60x86.sys
10:56:45.0039 0300 yukonwlh - ok
10:56:45.0079 0300 MBR (0x1B8) (5b5e648d12fcadc244c1ec30318e1eb9) \Device\Harddisk0\DR0
10:56:45.0828 0300 \Device\Harddisk0\DR0 - ok
10:56:45.0868 0300 Boot (0x1200) (eee6fcaeea5a93985a7bb34281f84a63) \Device\Harddisk0\DR0\Partition0
10:56:45.0870 0300 \Device\Harddisk0\DR0\Partition0 - ok
10:56:45.0870 0300 ============================================================
10:56:45.0870 0300 Scan finished
10:56:45.0870 0300 ============================================================
10:56:45.0891 1656 Detected object count: 0
10:56:45.0891 1656 Actual detected object count: 0
10:57:06.0747 3312 Deinitialize success

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Thu 31 May 2012, 2:31 am

Well, this next scan was interesting.

Ran it, only to get the dreaded blue screen letting me know the computer had to be shut down, and re started

Tried it again, and the same.

Restarted the computer under "safe" mode, and ran it.....and this is what I got

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-30 11:16:13
-----------------------------
11:16:13.539 OS Version: Windows 6.0.6001 Service Pack 1
11:16:13.539 Number of processors: 2 586 0xF0D
11:16:13.539 ComputerName: JONEJET-PC UserName: JonEJet
11:16:27.267 Initialize success
11:16:31.089 AVAST engine defs: 12053000
11:16:33.133 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
11:16:33.133 Disk 0 Vendor: TOSHIBA_MK1246GSX LB213M Size: 114473MB BusType: 3
11:16:33.148 Disk 0 MBR read successfully
11:16:33.164 Disk 0 MBR scan
11:16:34.802 Disk 0 Windows VISTA default MBR code
11:16:34.849 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
11:16:36.440 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 112969 MB offset 3074048
11:16:36.534 Disk 0 scanning sectors +234434560
11:16:37.672 Disk 0 scanning C:\Windows\system32\drivers
11:16:57.516 Service scanning
11:17:32.538 Modules scanning
11:17:36.953 Disk 0 trace - called modules:
11:17:37.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys
11:17:37.499 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84fee440]
11:17:37.499 3 CLASSPNP.SYS[82b15745] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x84e738a8]
11:17:38.544 AVAST engine scan C:\Windows
11:17:42.600 AVAST engine scan C:\Windows\system32
11:20:08.633 AVAST engine scan C:\Windows\system32\drivers
11:20:20.598 AVAST engine scan C:\Users\JonEJet
11:22:24.119 Disk 0 MBR has been saved successfully to "C:\Users\JonEJet\Desktop\MBR.dat"
11:22:24.478 The log file has been saved successfully to "C:\Users\JonEJet\Desktop\aswMBR.txt"

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Gabethebabe on Thu 31 May 2012, 7:34 am

Well - those tools do not find anything.

Have you tried to run Combofix in safe mode?

====================

ESET also has a specialized tool for Zero Access. You can download it here. Lets see if that has more success than the symantec tool. Please tell me what it reports, if possible, copy and paste it back here.

====================

If no result comes out of this, try GMER:

Download GMER Rootkit Scanner from here and save it to your desktop.
Note that it will have a random name.

  • Double click the file to run the tool. It may take a while to load.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan, click No
  • In the right panel, you will see several boxes that have been checked
  • Make sure this is unchecked: Show All
  • Make sure only your system drive (usually C:\) is checked and uncheck all other drives you might have on your system
  • Click Scan to start the scan
  • When it has finished, click Save and save the log as gmer.txt on your desktop
  • If GMER reports any <--- ROOTKIT entries, don´t take any action. It could be a false positive.
  • Click OK to quit GMER.
  • Please post the contents of gmer.txt into your next reply.


====================

Hopefully we get some more data out of these scans.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Thu 31 May 2012, 8:59 am

GMER 1.0.15.15641 - [You must be registered and logged in to see this link.]
Rootkit scan 2012-05-30 17:52:34
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 TOSHIBA_MK1246GSX rev.LB213M
Running: 311zqyeh.exe; Driver: C:\Users\JonEJet\AppData\Local\Temp\kxlirfow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8C145DF8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8C70EA5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8C14685E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8C14B2E4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8C14B330]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8C14B422]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8C14B252]
SSDT 8A2105B6 ZwCreateSection
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8C14B29A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8C14B3DC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8C145E44]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8C70EB34]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8C145AD6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8C145E90]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8C148D1C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8C146B02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8C14B30E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8C14B352]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8C14B446]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8C14B278]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8C14B3AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8C14B2C2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8C14B400]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8C70ECA0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8C1469CE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8C145EDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8C145F28]
SSDT 8A2105BB ZwSetContextThread
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8C145B46]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8C145CEA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8C145C92]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8C145D5A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8C70ED60]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8C145F74]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8C70EBE0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8C724D92]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 340 81EBD964 4 Bytes [F8, 5D, 14, 8C] {CLC ; POP EBP; ADC AL, 0x8c}
.text ntkrnlpa.exe!KeSetTimerEx + 364 81EBD988 4 Bytes [5A, EA, 70, 8C]
.text ntkrnlpa.exe!KeSetTimerEx + 3C4 81EBD9E8 4 Bytes [5E, 68, 14, 8C]
.text ntkrnlpa.exe!KeSetTimerEx + 404 81EBDA28 8 Bytes [E4, B2, 14, 8C, 30, B3, 14, ...]
.text ntkrnlpa.exe!KeSetTimerEx + 410 81EBDA34 4 Bytes [22, B4, 14, 8C]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 81FE4D5E 5 Bytes JMP 8C721C8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82021666 4 Bytes CALL 8C1471B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82030FC9 4 Bytes CALL 8C1471CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 8204D872 5 Bytes JMP 8C72374C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82099776 7 Bytes JMP 8C724D96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x87F51000, 0x4036D, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x87F9A000, 0x510, 0x40000040]
.text win32k.sys!EngCreateRectRgn + 51BE 81464121 5 Bytes JMP 8C14967C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPaint + 2098 81477417 5 Bytes JMP 8C148E4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreatePalette + 3DF2 81482D87 5 Bytes JMP 8C14970C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + B50 8148ADFC 5 Bytes JMP 8C148D52 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + F35 8148B1E1 5 Bytes JMP 8C14A0BA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCombineRgn + 3A1 8148CD4F 5 Bytes JMP 8C1497E6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCombineRgn + 3161 8148FB0F 5 Bytes JMP 8C149104 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngSetRectRgn + 192F 814927DB 5 Bytes JMP 8C148F84 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTransparentBlt + 65CF 8149C989 5 Bytes JMP 8C149536 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTransparentBlt + 8742 8149EAFC 5 Bytes JMP 8C14A450 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTransparentBlt + A398 814A0752 5 Bytes JMP 8C1497FE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + C760 814BC173 5 Bytes JMP 8C149384 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + C833 814BC246 5 Bytes JMP 8C149562 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 3FBB 814DE250 5 Bytes JMP 8C149F8C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 7DEF 814E2084 5 Bytes JMP 8C148FF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMulDiv + 9253 814EBA92 5 Bytes JMP 8C149724 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngNineGrid + 442A 814F45A4 5 Bytes JMP 8C148E66 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngNineGrid + 9061 814F91DB 5 Bytes JMP 8C14A232 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngNineGrid + 92BD 814F9437 5 Bytes JMP 8C14A2EA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngLpkInstalled + 17 814FD4C0 5 Bytes JMP 8C14A07C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBlt + 3838 8150D788 5 Bytes JMP 8C14A4F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + 4D52 81515F06 5 Bytes JMP 8C14A036 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 17BC 8151FA3E 5 Bytes JMP 8C14A180 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!STROBJ_vEnumStart + 478A 815264CD 5 Bytes JMP 8C148F22 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + 40E 81542D0A 5 Bytes JMP 8C1491AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!CLIPOBJ_bEnum + CC9 8154CBE8 5 Bytes JMP 8C1490B0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 26D9 81550720 5 Bytes JMP 8C14A3A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 45CE 81552615 5 Bytes JMP 8C14973C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 30D9 8156A971 5 Bytes JMP 8C1492E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 6CAF 8156E547 5 Bytes JMP 8C149248 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001501F8
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001503FC
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 001D0804
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001D01F8
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001D03FC
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 001D0600
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 001D0A08
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001E03FC
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 001E0600
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 001E1014
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 001E0804
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 001E0A08
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 001E0C0C
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 001E0E10
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[124] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001E01F8
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001401F8
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001403FC
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00160804
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001601F8
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001603FC
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00160600
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00160A08
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001703FC
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00170600
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00171014
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00170804
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00170A08
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00170C0C
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00170E10
.text C:\TOSHIBA\IVP\ISM\pinger.exe[260] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001701F8
.text C:\Windows\System32\igfxpers.exe[372] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001501F8
.text C:\Windows\System32\igfxpers.exe[372] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001503FC
.text C:\Windows\System32\igfxpers.exe[372] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\System32\igfxpers.exe[372] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00170804
.text C:\Windows\System32\igfxpers.exe[372] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001701F8
.text C:\Windows\System32\igfxpers.exe[372] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001703FC
.text C:\Windows\System32\igfxpers.exe[372] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00170600
.text C:\Windows\System32\igfxpers.exe[372] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00170A08
.text C:\Windows\System32\igfxpers.exe[372] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001803FC
.text C:\Windows\System32\igfxpers.exe[372] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00180600
.text C:\Windows\System32\igfxpers.exe[372] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00181014
.text C:\Windows\System32\igfxpers.exe[372] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00180804
.text C:\Windows\System32\igfxpers.exe[372] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00180A08
.text C:\Windows\System32\igfxpers.exe[372] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00180C0C
.text C:\Windows\System32\igfxpers.exe[372] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00180E10
.text C:\Windows\System32\igfxpers.exe[372] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001801F8
.text C:\Windows\RtHDVCpl.exe[472] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001501F8
.text C:\Windows\RtHDVCpl.exe[472] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001503FC
.text C:\Windows\RtHDVCpl.exe[472] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\RtHDVCpl.exe[472] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001703FC
.text C:\Windows\RtHDVCpl.exe[472] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00170600
.text C:\Windows\RtHDVCpl.exe[472] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00171014
.text C:\Windows\RtHDVCpl.exe[472] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00170804
.text C:\Windows\RtHDVCpl.exe[472] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00170A08
.text C:\Windows\RtHDVCpl.exe[472] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00170C0C
.text C:\Windows\RtHDVCpl.exe[472] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00170E10
.text C:\Windows\RtHDVCpl.exe[472] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001701F8
.text C:\Windows\RtHDVCpl.exe[472] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00180804
.text C:\Windows\RtHDVCpl.exe[472] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001801F8
.text C:\Windows\RtHDVCpl.exe[472] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001803FC
.text C:\Windows\RtHDVCpl.exe[472] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00180600
.text C:\Windows\RtHDVCpl.exe[472] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00180A08
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001501F8
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001503FC
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00270804
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 002701F8
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 002703FC
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00270600
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00270A08
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 002803FC
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00280600
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00281014
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00280804
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00280A08
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00280C0C
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00280E10
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[484] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 002801F8
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001501F8
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001503FC
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001703FC
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00170600
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00171014
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00170804
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00170A08
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00170C0C
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00170E10
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001701F8
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00180804
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001801F8
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001803FC
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00180600
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[500] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00180A08
.text C:\Windows\system32\csrss.exe[528] KERNEL32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\wininit.exe[572] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000301F8
.text C:\Windows\system32\wininit.exe[572] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000303FC
.text C:\Windows\system32\wininit.exe[572] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\wininit.exe[572] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000903FC
.text C:\Windows\system32\wininit.exe[572] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00090600
.text C:\Windows\system32\wininit.exe[572] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00091014
.text C:\Windows\system32\wininit.exe[572] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00090804
.text C:\Windows\system32\wininit.exe[572] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00090A08
.text C:\Windows\system32\wininit.exe[572] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00090C0C
.text C:\Windows\system32\wininit.exe[572] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00090E10
.text C:\Windows\system32\wininit.exe[572] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000901F8
.text C:\Windows\system32\wininit.exe[572] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 000A0804
.text C:\Windows\system32\wininit.exe[572] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000A01F8
.text C:\Windows\system32\wininit.exe[572] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000A03FC
.text C:\Windows\system32\wininit.exe[572] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 000A0600
.text C:\Windows\system32\wininit.exe[572] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 000A0A08
.text C:\Windows\system32\csrss.exe[580] KERNEL32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\services.exe[616] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\services.exe[616] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\services.exe[616] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000B03FC
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 000B0600
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 000B1014
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 000B0804
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 000B0A08
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 000B0C0C
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 000B0E10
.text C:\Windows\system32\services.exe[616] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000B01F8
.text C:\Windows\system32\services.exe[616] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 000C0804
.text C:\Windows\system32\services.exe[616] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000C01F8
.text C:\Windows\system32\services.exe[616] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000C03FC
.text C:\Windows\system32\services.exe[616] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 000C0600
.text C:\Windows\system32\services.exe[616] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 000C0A08
.text C:\Windows\system32\lsass.exe[628] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\lsass.exe[628] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\lsass.exe[628] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\system32\lsass.exe[628] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\system32\lsass.exe[628] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00080804
.text C:\Windows\system32\lsass.exe[628] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000801F8
.text C:\Windows\system32\lsass.exe[628] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000803FC
.text C:\Windows\system32\lsass.exe[628] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00080600
.text C:\Windows\system32\lsass.exe[628] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00080A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001601F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001603FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001703FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00170600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00171014
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00170804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00170A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00170C0C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00170E10
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001701F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00280804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 002801F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 002803FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00280600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[632] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00280A08
.text C:\Windows\system32\lsm.exe[640] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000901F8
.text C:\Windows\system32\lsm.exe[640] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000903FC
.text C:\Windows\system32\lsm.exe[640] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000B03FC
.text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 000B0600
.text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 000B1014
.text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 000B0804
.text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 000B0A08
.text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 000B0C0C
.text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 000B0E10
.text C:\Windows\system32\lsm.exe[640] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000B01F8
.text C:\Windows\system32\winlogon.exe[684] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000301F8
.text C:\Windows\system32\winlogon.exe[684] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000303FC
.text C:\Windows\system32\winlogon.exe[684] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[684] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000503FC
.text C:\Windows\system32\winlogon.exe[684] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00050600
.text C:\Windows\system32\winlogon.exe[684] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00051014
.text C:\Windows\system32\winlogon.exe[684] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00050804
.text C:\Windows\system32\winlogon.exe[684] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00050A08
.text C:\Windows\system32\winlogon.exe[684] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00050C0C
.text C:\Windows\system32\winlogon.exe[684] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00050E10
.text C:\Windows\system32\winlogon.exe[684] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000501F8
.text C:\Windows\system32\winlogon.exe[684] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00060804
.text C:\Windows\system32\winlogon.exe[684] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000601F8
.text C:\Windows\system32\winlogon.exe[684] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000603FC
.text C:\Windows\system32\winlogon.exe[684] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00060600
.text C:\Windows\system32\winlogon.exe[684] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00060A08
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001401F8
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001403FC
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00260804
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 002601F8
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 002603FC
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00260600
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00260A08
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 002703FC
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00270600
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00271014
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00270804
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00270A08
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00270C0C
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00270E10
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[812] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 002701F8
.text C:\Windows\system32\svchost.exe[824] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[824] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[824] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[824] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[888] KERNEL32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[932] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[932] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000803FC
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00080600
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00081014
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00080804
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00080A08
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00080C0C
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00080E10
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000801F8
.text C:\Windows\system32\svchost.exe[932] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 000C0804
.text C:\Windows\system32\svchost.exe[932] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000C01F8
.text C:\Windows\system32\svchost.exe[932] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000C03FC
.text C:\Windows\system32\svchost.exe[932] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 000C0600
.text C:\Windows\system32\svchost.exe[932] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 000C0A08
.text C:\Windows\System32\svchost.exe[988] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[988] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[988] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[988] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[988] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 001A0804
.text C:\Windows\System32\svchost.exe[988] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001A01F8
.text C:\Windows\System32\svchost.exe[988] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001A03FC
.text C:\Windows\System32\svchost.exe[988] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 001A0600
.text C:\Windows\System32\svchost.exe[988] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 001A0A08
.text C:\Windows\System32\svchost.exe[1060] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[1060] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\System32\svchost.exe[1060] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 003B0804
.text C:\Windows\System32\svchost.exe[1060] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 003B01F8
.text C:\Windows\System32\svchost.exe[1060] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 003B03FC
.text C:\Windows\System32\svchost.exe[1060] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 003B0600
.text C:\Windows\System32\svchost.exe[1060] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 003B0A08
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1072] kernel32.dll!GetBinaryTypeW + 70

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Thu 31 May 2012, 9:03 am

775A1CE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1076] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1076] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1076] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1076] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00150804
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001501F8
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001503FC
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00150600
.text C:\Windows\system32\svchost.exe[1076] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00150A08
.text C:\Windows\system32\AUDIODG.EXE[1184] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1268] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1268] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1268] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00C10804
.text C:\Windows\system32\svchost.exe[1268] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 00C101F8
.text C:\Windows\system32\svchost.exe[1268] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 00C103FC
.text C:\Windows\system32\svchost.exe[1268] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00C10600
.text C:\Windows\system32\svchost.exe[1268] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00C10A08
.text C:\Windows\System32\svchost.exe[1468] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[1468] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[1468] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1468] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[1468] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[1468] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[1468] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[1468] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[1468] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[1468] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[1468] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1472] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[1472] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00130804
.text C:\Windows\system32\svchost.exe[1472] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001301F8
.text C:\Windows\system32\svchost.exe[1472] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001303FC
.text C:\Windows\system32\svchost.exe[1472] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00130600
.text C:\Windows\system32\svchost.exe[1472] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00130A08
.text C:\Windows\system32\agrsmsvc.exe[1592] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000801F8
.text C:\Windows\system32\agrsmsvc.exe[1592] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000803FC
.text C:\Windows\system32\agrsmsvc.exe[1592] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\agrsmsvc.exe[1592] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000A03FC
.text C:\Windows\system32\agrsmsvc.exe[1592] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 000A0600
.text C:\Windows\system32\agrsmsvc.exe[1592] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 000A1014
.text C:\Windows\system32\agrsmsvc.exe[1592] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 000A0804
.text C:\Windows\system32\agrsmsvc.exe[1592] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 000A0A08
.text C:\Windows\system32\agrsmsvc.exe[1592] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 000A0C0C
.text C:\Windows\system32\agrsmsvc.exe[1592] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 000A0E10
.text C:\Windows\system32\agrsmsvc.exe[1592] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000A01F8
.text C:\Windows\system32\agrsmsvc.exe[1592] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 000B0804
.text C:\Windows\system32\agrsmsvc.exe[1592] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000B01F8
.text C:\Windows\system32\agrsmsvc.exe[1592] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000B03FC
.text C:\Windows\system32\agrsmsvc.exe[1592] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 000B0600
.text C:\Windows\system32\agrsmsvc.exe[1592] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 000B0A08
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1668] kernel32.dll!SetUnhandledExceptionFilter 7757700D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1668] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[1676] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\Dwm.exe[1676] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\Dwm.exe[1676] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[1676] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\system32\Dwm.exe[1676] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\system32\Dwm.exe[1676] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\system32\Dwm.exe[1676] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\system32\Dwm.exe[1676] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\system32\Dwm.exe[1676] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\system32\Dwm.exe[1676] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\system32\Dwm.exe[1676] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\system32\Dwm.exe[1676] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00080804
.text C:\Windows\system32\Dwm.exe[1676] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000801F8
.text C:\Windows\system32\Dwm.exe[1676] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000803FC
.text C:\Windows\system32\Dwm.exe[1676] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00080600
.text C:\Windows\system32\Dwm.exe[1676] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00080A08
.text C:\Windows\Explorer.EXE[1700] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\Explorer.EXE[1700] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\Explorer.EXE[1700] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\Explorer.EXE[1700] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\Explorer.EXE[1700] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\Explorer.EXE[1700] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\Explorer.EXE[1700] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\Explorer.EXE[1700] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\Explorer.EXE[1700] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\Explorer.EXE[1700] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\Explorer.EXE[1700] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\Explorer.EXE[1700] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00080804
.text C:\Windows\Explorer.EXE[1700] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000801F8
.text C:\Windows\Explorer.EXE[1700] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000803FC
.text C:\Windows\Explorer.EXE[1700] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00080600
.text C:\Windows\Explorer.EXE[1700] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00080A08
.text C:\Windows\System32\spoolsv.exe[1820] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\System32\spoolsv.exe[1820] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\System32\spoolsv.exe[1820] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[1820] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\System32\spoolsv.exe[1820] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\System32\spoolsv.exe[1820] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\System32\spoolsv.exe[1820] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\System32\spoolsv.exe[1820] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\System32\spoolsv.exe[1820] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\System32\spoolsv.exe[1820] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\System32\spoolsv.exe[1820] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\System32\spoolsv.exe[1820] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 000D0804
.text C:\Windows\System32\spoolsv.exe[1820] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000D01F8
.text C:\Windows\System32\spoolsv.exe[1820] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000D03FC
.text C:\Windows\System32\spoolsv.exe[1820] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 000D0600
.text C:\Windows\System32\spoolsv.exe[1820] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 000D0A08
.text C:\Windows\system32\lxducoms.exe[1912] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001501F8
.text C:\Windows\system32\lxducoms.exe[1912] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001503FC
.text C:\Windows\system32\lxducoms.exe[1912] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\lxducoms.exe[1912] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00170804
.text C:\Windows\system32\lxducoms.exe[1912] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001701F8
.text C:\Windows\system32\lxducoms.exe[1912] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001703FC
.text C:\Windows\system32\lxducoms.exe[1912] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00170600
.text C:\Windows\system32\lxducoms.exe[1912] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00170A08
.text C:\Windows\system32\lxducoms.exe[1912] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001803FC
.text C:\Windows\system32\lxducoms.exe[1912] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00180600
.text C:\Windows\system32\lxducoms.exe[1912] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00181014
.text C:\Windows\system32\lxducoms.exe[1912] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00180804
.text C:\Windows\system32\lxducoms.exe[1912] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00180A08
.text C:\Windows\system32\lxducoms.exe[1912] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00180C0C
.text C:\Windows\system32\lxducoms.exe[1912] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00180E10
.text C:\Windows\system32\lxducoms.exe[1912] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001801F8
.text C:\Windows\system32\taskeng.exe[1916] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskeng.exe[1916] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskeng.exe[1916] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[1916] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\system32\taskeng.exe[1916] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\system32\taskeng.exe[1916] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\system32\taskeng.exe[1916] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\system32\taskeng.exe[1916] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\system32\taskeng.exe[1916] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\system32\taskeng.exe[1916] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\system32\taskeng.exe[1916] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\system32\taskeng.exe[1916] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00080804
.text C:\Windows\system32\taskeng.exe[1916] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000801F8
.text C:\Windows\system32\taskeng.exe[1916] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000803FC
.text C:\Windows\system32\taskeng.exe[1916] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00080600
.text C:\Windows\system32\taskeng.exe[1916] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00080A08
.text C:\Windows\system32\taskeng.exe[1948] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskeng.exe[1948] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskeng.exe[1948] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[1948] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\system32\taskeng.exe[1948] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\system32\taskeng.exe[1948] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\system32\taskeng.exe[1948] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\system32\taskeng.exe[1948] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\system32\taskeng.exe[1948] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\system32\taskeng.exe[1948] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\system32\taskeng.exe[1948] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\system32\taskeng.exe[1948] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00080804
.text C:\Windows\system32\taskeng.exe[1948] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000801F8
.text C:\Windows\system32\taskeng.exe[1948] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000803FC
.text C:\Windows\system32\taskeng.exe[1948] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00080600
.text C:\Windows\system32\taskeng.exe[1948] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00080A08
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000B03FC
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 000B0600
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 000B1014
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 000B0804
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 000B0A08
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 000B0C0C
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 000B0E10
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000B01F8
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 008C0804
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 008C01F8
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 008C03FC
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 008C0600
.text C:\Program Files\Microsoft\BingBar\SeaPort.EXE[2160] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 008C0A08
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001803FC
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00180600
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00181014
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00180804
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00180A08
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00180C0C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00180E10
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001801F8
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00190804
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001901F8
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001903FC
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] USER32.dll!GetWindowInfo 77070560 5 Bytes JMP 68700924 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] USER32.dll!SetWindowLongA 77070736 5 Bytes JMP 689701A3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] USER32.dll!SetWindowLongW 77071F35 5 Bytes JMP 68970135 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] USER32.dll!TrackPopupMenu 77081417 5 Bytes JMP 68700ECF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00190600
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00190A08
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00080804
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000801F8
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000803FC
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00080600
.text C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe[2436] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00080A08
.text C:\Windows\system32\svchost.exe[2456] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[2456] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[2456] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2456] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000B03FC
.text C:\Windows\system32\svchost.exe[2456] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 000B0600
.text C:\Windows\system32\svchost.exe[2456] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 000B1014
.text C:\Windows\system32\svchost.exe[2456] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 000B0804
.text C:\Windows\system32\svchost.exe[2456] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 000B0A08
.text C:\Windows\system32\svchost.exe[2456] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 000B0C0C
.text C:\Windows\system32\svchost.exe[2456] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 000B0E10
.text C:\Windows\system32\svchost.exe[2456] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000B01F8
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001501F8
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001503FC
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00170804
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001701F8
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001703FC
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00170600
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00170A08
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001803FC
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00180600
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00181014
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00180804
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00180A08
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00180C0C
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00180E10
.text C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe[2484] ADVAPI32.dll!CreateServiceA

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Thu 31 May 2012, 9:03 am

77936C71 5 Bytes JMP 001801F8
.text C:\Windows\system32\TODDSrv.exe[2524] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001401F8
.text C:\Windows\system32\TODDSrv.exe[2524] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001403FC
.text C:\Windows\system32\TODDSrv.exe[2524] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\TODDSrv.exe[2524] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00160804
.text C:\Windows\system32\TODDSrv.exe[2524] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001601F8
.text C:\Windows\system32\TODDSrv.exe[2524] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001603FC
.text C:\Windows\system32\TODDSrv.exe[2524] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00160600
.text C:\Windows\system32\TODDSrv.exe[2524] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00160A08
.text C:\Windows\system32\TODDSrv.exe[2524] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001703FC
.text C:\Windows\system32\TODDSrv.exe[2524] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00170600
.text C:\Windows\system32\TODDSrv.exe[2524] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00171014
.text C:\Windows\system32\TODDSrv.exe[2524] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00170804
.text C:\Windows\system32\TODDSrv.exe[2524] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00170A08
.text C:\Windows\system32\TODDSrv.exe[2524] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00170C0C
.text C:\Windows\system32\TODDSrv.exe[2524] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00170E10
.text C:\Windows\system32\TODDSrv.exe[2524] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001701F8
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001501F8
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001503FC
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001A03FC
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 001A0600
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 001A1014
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 001A0804
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 001A0A08
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 001A0C0C
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 001A0E10
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001A01F8
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 001B0804
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001B01F8
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001B03FC
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 001B0600
.text C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe[2556] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 001B0A08
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001501F8
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001503FC
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001703FC
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00170600
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00171014
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00170804
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00170A08
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00170C0C
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00170E10
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001701F8
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00180804
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001801F8
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001803FC
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00180600
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe[2612] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00180A08
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2628] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001401F8
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2628] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001403FC
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2628] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2628] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001603FC
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2628] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00160600
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2628] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00161014
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2628] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00160804
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2628] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00160A08
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2628] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00160C0C
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2628] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00160E10
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2628] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001601F8
.text C:\Windows\System32\svchost.exe[2660] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[2660] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[2660] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\System32\svchost.exe[2660] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[2660] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[2660] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[2660] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[2660] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[2660] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[2660] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[2660] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000401F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000403FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000A03FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 000A0600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 000A1014
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 000A0804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 000A0A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 000A0C0C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 000A0E10
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000A01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 000B0804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000B01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000B03FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 000B0600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2692] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 000B0A08
.text C:\Windows\system32\SearchIndexer.exe[2708] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\SearchIndexer.exe[2708] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\SearchIndexer.exe[2708] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[2708] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\system32\SearchIndexer.exe[2708] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\system32\SearchIndexer.exe[2708] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\system32\SearchIndexer.exe[2708] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\system32\SearchIndexer.exe[2708] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\system32\SearchIndexer.exe[2708] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\system32\SearchIndexer.exe[2708] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\system32\SearchIndexer.exe[2708] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\system32\SearchIndexer.exe[2708] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00080804
.text C:\Windows\system32\SearchIndexer.exe[2708] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000801F8
.text C:\Windows\system32\SearchIndexer.exe[2708] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000803FC
.text C:\Windows\system32\SearchIndexer.exe[2708] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00080600
.text C:\Windows\system32\SearchIndexer.exe[2708] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00080A08
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000D01F8
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000D03FC
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001503FC
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00150600
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00151014
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00150804
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00150A08
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00150C0C
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00150E10
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001501F8
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00160804
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001601F8
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001603FC
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00160600
.text C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe[2844] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00160A08
.text C:\Windows\System32\mobsync.exe[2952] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Windows\System32\mobsync.exe[2952] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Windows\System32\mobsync.exe[2952] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\System32\mobsync.exe[2952] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000703FC
.text C:\Windows\System32\mobsync.exe[2952] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00070600
.text C:\Windows\System32\mobsync.exe[2952] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00071014
.text C:\Windows\System32\mobsync.exe[2952] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00070804
.text C:\Windows\System32\mobsync.exe[2952] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00070A08
.text C:\Windows\System32\mobsync.exe[2952] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00070C0C
.text C:\Windows\System32\mobsync.exe[2952] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00070E10
.text C:\Windows\System32\mobsync.exe[2952] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000701F8
.text C:\Windows\System32\mobsync.exe[2952] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00080804
.text C:\Windows\System32\mobsync.exe[2952] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000801F8
.text C:\Windows\System32\mobsync.exe[2952] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000803FC
.text C:\Windows\System32\mobsync.exe[2952] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00080600
.text C:\Windows\System32\mobsync.exe[2952] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00080A08
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 68585B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00170804
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001701F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001703FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00170600
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00170A08
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001803FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00180600
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00181014
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00180804
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00180A08
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00180C0C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00180E10
.text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001801F8
.text C:\Windows\system32\wuauclt.exe[3164] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000A01F8
.text C:\Windows\system32\wuauclt.exe[3164] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000A03FC
.text C:\Windows\system32\wuauclt.exe[3164] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Windows\system32\wuauclt.exe[3164] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 001B0804
.text C:\Windows\system32\wuauclt.exe[3164] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001B01F8
.text C:\Windows\system32\wuauclt.exe[3164] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001B03FC
.text C:\Windows\system32\wuauclt.exe[3164] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 001B0600
.text C:\Windows\system32\wuauclt.exe[3164] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 001B0A08
.text C:\Windows\system32\wuauclt.exe[3164] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001C03FC
.text C:\Windows\system32\wuauclt.exe[3164] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 001C0600
.text C:\Windows\system32\wuauclt.exe[3164] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 3 Bytes JMP 001C1014
.text C:\Windows\system32\wuauclt.exe[3164] ADVAPI32.dll!SetServiceObjectSecurity + 4 779366AD 1 Byte [88]
.text C:\Windows\system32\wuauclt.exe[3164] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 001C0804
.text C:\Windows\system32\wuauclt.exe[3164] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 001C0A08
.text C:\Windows\system32\wuauclt.exe[3164] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 001C0C0C
.text C:\Windows\system32\wuauclt.exe[3164] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 001C0E10
.text C:\Windows\system32\wuauclt.exe[3164] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001C01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000401F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000403FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000903FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00090600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00091014
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00090804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00090A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00090C0C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00090E10
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000901F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 000A0804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000A01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000A03FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 000A0600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3216] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 000A0A08
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001501F8
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001503FC
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001903FC
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00190600
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00191014
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00190804
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00190A08
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00190C0C
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00190E10
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001901F8
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 001A0804
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001A01F8
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001A03FC
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 001A0600
.text C:\Users\JonEJet\Desktop\311zqyeh.exe[3312] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 001A0A08
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 000501F8
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 000503FC
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 000803FC
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00080600
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00081014
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00080804
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00080A08
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00080C0C
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00080E10
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 000801F8
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00090804
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 000901F8
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 000903FC
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00090600
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] USER32.dll!UnhookWindowsHookEx 770908BE 3 Bytes JMP 00090A08
.text C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3688] USER32.dll!UnhookWindowsHookEx + 4 770908C2 1 Byte [89]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001501F8
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001503FC
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00170804
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001701F8
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001703FC
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00170600
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00170A08
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001803FC
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00180600
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00181014
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00180804
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00180A08
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00180C0C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00180E10
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3992] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001801F8
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] ntdll.dll!LdrLoadDll 77AF79B3 5 Bytes JMP 001501F8
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] ntdll.dll!LdrUnloadDll 77B0E5AC 5 Bytes JMP 001503FC
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] kernel32.dll!GetBinaryTypeW + 70 775A1CE8 1 Byte [62]
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] USER32.dll!SetWindowsHookExW 77067B69 5 Bytes JMP 00170804
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] USER32.dll!SetWinEventHook 7706915C 5 Bytes JMP 001701F8
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] USER32.dll!UnhookWinEvent 7706B702 5 Bytes JMP 001703FC
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] USER32.dll!SetWindowsHookExA 7708BB0E 5 Bytes JMP 00170600
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] USER32.dll!UnhookWindowsHookEx 770908BE 5 Bytes JMP 00170A08
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] ADVAPI32.dll!CreateServiceW 778F38FF 5 Bytes JMP 001803FC
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] ADVAPI32.dll!DeleteService 778F3BEE 5 Bytes JMP 00180600
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] ADVAPI32.dll!SetServiceObjectSecurity 779366A9 5 Bytes JMP 00181014
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] ADVAPI32.dll!ChangeServiceConfigA 779367A9 5 Bytes JMP 00180804
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] ADVAPI32.dll!ChangeServiceConfigW 77936951 5 Bytes JMP 00180A08
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] ADVAPI32.dll!ChangeServiceConfig2A 77936A69 5 Bytes JMP 00180C0C
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] ADVAPI32.dll!ChangeServiceConfig2W 77936BB1 5 Bytes JMP 00180E10
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[4064] ADVAPI32.dll!CreateServiceA 77936C71 5 Bytes JMP 001801F8

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[616] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00100002
IAT C:\Windows\system32\services.exe[616] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00100000
IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[1072] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [71F2F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1668] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [71F2F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Files - GMER 1.0.15 ----

File C:\avast! sandbox 0 bytes
File C:\avast! sandbox\S-1-5-21-3334157229-1843940417-2705372315-1000 0 bytes
File C:\avast! sandbox\S-1-5-21-3334157229-1843940417-2705372315-1000\webStorage 0 bytes
File C:\avast! sandbox\S-1-5-21-3334157229-1843940417-2705372315-1000\webStorage\C 0 bytes
File C:\avast! sandbox\S-1-5-21-3334157229-1843940417-2705372315-1000\webStorage\snx_fs.dat 180 bytes
File C:\avast! sandbox\snx_rhive 262144 bytes
File C:\avast! sandbox\snx_rhive.LOG1 21504 bytes
File C:\avast! sandbox\snx_rhive.LOG2 0 bytes
File C:\avast! sandbox\snx_rhive{58f0e527-a8f7-11e1-a69c-00a0d19c578a}.TM.blf 65536 bytes
File C:\avast! sandbox\snx_rhive{58f0e527-a8f7-11e1-a69c-00a0d19c578a}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
File C:\avast! sandbox\snx_rhive{58f0e527-a8f7-11e1-a69c-00a0d19c578a}.TMContainer00000000000000000002.regtrans-ms 524288 bytes

---- EOF - GMER 1.0.15 ----

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Thu 31 May 2012, 9:06 am

Ran the other program, and it says

Win32/Sirefef is not found


Something sure isn't right, and tried ComboFix in safe mode once again with no luck

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Gabethebabe on Fri 01 Jun 2012, 12:01 am

OK, I asked some of our staff to help me on this, it appears that we deal with a tough new variant.

Please delete combofix from your desktop. We´re going to download a new copy by the following instructions:

Please visit this webpage and proceed to download ComboFix, but rename it during the download, to make sure the malware does not interfere.

The easiest is to download using Internet Explorer. If you insist on using Mozilla Firefox, you have to make a change to its configuration:
Tools >> Options >> General >> Downloads >> select Always ask me where to save files.

Use one of the links in the guide to download ComboFix and when your browser asks you where to save it, change the name of the file to svchost.exe and save it to your desktop.



Doubleclick svchost.exe to run the tool. Please post its log back here.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Fri 01 Jun 2012, 12:04 am

I tried to delete the Combo fix using the tutorial, and I can't remove it....I tried yesterday, and will try again

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Fri 01 Jun 2012, 12:45 am

I ran this, per the Combofix guide and tutorial

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_22
Run by JonEJet at 9:42:27 on 2012-05-31
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.836 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\lxducoms.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:54828
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\users\jonejet\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\users\jonejet\appdata\local\temp\quickstart.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
TCP: DhcpNameServer = 208.59.247.45 208.59.247.46
TCP: Interfaces\{3BCB3EAE-FB8F-4141-8934-8A0E11E5B570} : DhcpNameServer = 192.168.11.1
TCP: Interfaces\{DBCEC8C8-8DDA-4014-B428-FED0EEFC40F8} : DhcpNameServer = 208.59.247.45 208.59.247.46
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GoogleDesktopNetwork3.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jonejet\appdata\roaming\mozilla\firefox\profiles\okcrvxtn.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 54828
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-2-8 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-2-9 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-2-9 20696]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-2-8 57688]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-2-8 44768]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-6-17 66616]
R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-11-6 7168]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2007-12-11 252416]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2011-10-1 579944]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2011-10-1 194408]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2011-10-1 19304]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-6-17 136360]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-6-17 269480]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]
S2 gupdate1caa3b3b7341e00;Google Update Service (gupdate1caa3b3b7341e00);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 133104]
S2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2011-10-1 508776]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 133104]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2011-10-1 21864]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-05-31 13:18:20 0 ----a-w- c:\windows\system32\sho5BF7.tmp
2012-05-31 13:10:08 -------- d-----w- C:\MyComboFix
2012-05-30 14:20:51 -------- d-----w- c:\users\jonejet\appdata\roaming\FixZeroAccess
2012-05-29 15:23:37 -------- d-----w- c:\program files\Free Download Manager
2012-05-29 15:22:36 -------- d-----w- c:\programdata\Babylon
2012-05-29 15:22:35 -------- d-----w- c:\users\jonejet\appdata\roaming\Babylon
2012-05-29 14:33:40 0 ----a-w- c:\windows\system32\shoD4F8.tmp
2012-05-29 13:26:58 6737808 ------w- c:\programdata\microsoft\windows defender\definition updates\updates\mpengine.dll
2012-05-28 20:49:55 -------- d-----w- c:\programdata\Sophos
2012-05-28 20:49:47 73728 ----a-r- c:\users\jonejet\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-05-28 20:49:47 73728 ----a-r- c:\users\jonejet\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-05-28 20:49:47 73728 ----a-r- c:\users\jonejet\appdata\roaming\microsoft\installer\{b829e117-d072-41ea-9606-9826a38d34c1}\ARPPRODUCTICON.exe
2012-05-28 20:49:08 -------- d-----w- c:\program files\Sophos
2012-05-28 19:04:44 -------- d-----w- c:\programdata\blekko toolbars
2012-05-28 19:04:14 -------- d-----w- c:\users\jonejet\appdata\local\blekkotb_031
.
==================== Find3M ====================
.
2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-06 23:15:19 41184 ----a-w- c:\windows\avastSS.scr
2012-03-06 23:03:51 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-06 23:01:48 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
.
============= FINISH: 9:43:45.36 ===============

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Fri 01 Jun 2012, 1:16 am

Wow, is this getting aggravating. I deleted Combofix from my desktop, and downloaded it per your instructions. I renamed it, as per your instructions. I ran the program from my desktop, and as I ran it, it automatically renamed it on my laptop to Combofix once again.

Still in the loop.

I even try to uninstall it, just to reinstall it. I can not uninstall.

Wow, what to do?

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Fri 01 Jun 2012, 2:26 am

Is system restore an option? I'm losing it...took work off today....lol

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Fri 01 Jun 2012, 12:19 pm

So, I was finally able to uninstall the Combofix.....went to Safe Mode to run it,and thought I had it,until it decided to reboot.

Also, even though I rename the file when I save it, when I run it, it changes back to combofix on my desktop.

Frustrated beyond belief at this point

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Gabethebabe on Fri 01 Jun 2012, 7:38 pm

I understand

I am currently awaiting some feedback from my colleagues, who are more up to date with this infection.

I have an idea of my own, but I first have to verify whether the procedure actually works.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Gabethebabe on Fri 01 Jun 2012, 8:59 pm

OK, I haven´t heard yet from my colleagues, so we´re going with my plan.

The malware has a firm grip on your computer and our tools cannot penetrate its defenses. So we are going to approach your harddisk with a boot cd, because in that way the malware is not loaded and helpless.

====================

Please download SystemLook by jpshortstuff from one of the locations below and save it to the root directory of your system harddisk (C:\SystemLook.exe), so we can find it easily later.
Download Mirror #1 (32-bit)
Download Mirror #2 (32-bit)

====================

This is where we create the boot CD.

  • You will need a blank CD to burn it.
  • Download OTLPEStd.exe by OldTimer from here (a big download)
  • Double-click on OTLPEStd.exe to burn the boot CD
  • Print the instructions below, because you won't have internet access during the next steps.
  • Reboot your system using the boot CD you just created. If you don´t know how to boot from CD, check out this page
  • Booting will take quite some time, so please be patient
  • Finally you should see the REATOGO-X-PE desktop.
  • Browse to your system disk, run SystemLook.exe by double clicking it
  • In the text field write the following:
    :dir
    c:\windows\system32\drivers /n*.sys /md5
    c:\windows\system32 /n*.dll /md5
  • After that, click Look.
  • It will generate a report (SystemLook.txt). Please copy and paste that into your next post.




Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Gabethebabe on Sat 02 Jun 2012, 12:29 am

Besides doing what I said in my previous post, please also do the following (without booting from CD):

Please download OTL by OldTimer from here and save it to your desktop.
  • Close all windows and double click OTL.exe.
  • The Extra Registry setting should be Use Safelist
  • Copy and paste the following text into the Custom Scans/Fixes box:

Code:
%APPDATA%\Microsoft\*.*
%systemroot%\system32\config\systemprofile\*.dat /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\winn32\*.*
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%PROGRAMFILES%\Mozilla Firefox\*.exe
%ProgramFiles%\TinyProxy.
%systemroot%\system32\*.* /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.* /lockedfiles
%PROGRAMFILES%\*.
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
/md5start
netlogon.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
disk.sys
explorer.exe
userinit.exe
winlogon.exe
/md5stop
CREATERESTOREPOINT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
  • Click the Run Scan button and allow it to run.
  • It will produce two logs for you, OTL.txt and Extras.txt. Please post both logs in this thread.
  • You may need multiple posts to get it all.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Sat 02 Jun 2012, 3:35 am

Okay, this is so much fun. Once again, thank you for your help.

So I tried to run my DVD/CD player. Sure enough it seems to be infused with this virus. It won't run.

Secondly, I copied and pasted the instructions in the Old Timer. Ran it,and once it scanned right to my firefox, it would stop the scan. So, I uninstalled my firefox, and tried it that way with no luck.

I will now try in safe mode, and will give you my results.

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Sat 02 Jun 2012, 3:55 am

Once again, the scan will not finish even in safe mode once the scan reaches firefox.

Time for a new computer? lol

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Gabethebabe on Sun 03 Jun 2012, 1:12 am

You DVD/CD does not work at all, as in: it has a hardware problem? Because if it does not work at all, we cannot go the offline booting route, which is a pretty important route.

If the malware just disables the CD, maybe you can burn it on a clean computer?

If all fails, we can always go and take out the HD from your laptop, it will have a standard SATA connection and plug it into a working computer.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Sun 03 Jun 2012, 1:17 am

Ahhh....I can burn from another computer

Not sure what I was thinking...thought I had to burn from this computer


I can always do the hard drive thing....I have another working laptop close.

I don't think there is a hardware problem with my cd/dvd, rather it seems the virus disables it


Think I'll pull the hard drive and try to fix that way

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by JonEJet on Sun 03 Jun 2012, 3:03 am

Going to have to try another laptop to transfer hard drives.

Was not able to access the internet when I transferred the hard drive

JonEJet

Senior Surfer
Senior Surfer

Posts : 210
Joined : 2009-07-17
Operating System : XP

View user profile

Back to top Go down

Re: Root Kit....Zero Access

Post by Sponsored content Today at 9:47 am


Sponsored content


Back to top Go down

Page 1 of 11 1, 2, 3 ... 9, 10, 11  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum