Hello,

I got some infection that my Avast tried to block but not before it turned off my firewall. I turned it back on and I restarted in windows safe mode and ran spybot S&D but it came up clean. I then ran Malwarebytes and it quarantined the following:

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\574993874 (Trojan.FakeAlert) -> Value: 574993874 -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Daniel\local settings\temp\0.8985798632878567.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\documents and settings\Daniel\local settings\application data\hfx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

I then ran an avast scan that turned up clean, and a avast boot time scan that came up clean (I had to enter normal windows mode to run the boot time scan).

My problem is after the boot time scan, my firewall was turned off again. So I turned it back on and restarted, and so far it has stayed on. I ran all the scans again but they came up clean. I am afraid I may have some virus/part of virus left going undetected. I would appreciate any help.

Thanks.



DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Daniel at 15:13:57 on 2011-07-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1163 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\kdx\KHost.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Games\Spy\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Games\Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bbc.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {4314F235-1E09-4193-AAAE-042D73E41824} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\games\spy\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {A78FAF59-B270-4B28-A275-68A94333847F} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {F9C48591-50FA-4A03-BB63-5F3B832C8D88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\games\spy\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [kdx] c:\windows\kdx\KHost.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\games\quick\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\games\spy\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1283659333532
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} - hxxp://www.gamespot.com/KDX/zd/kdx.cab
TCP: DhcpNameServer = 208.33.159.39 71.2.28.14
TCP: Interfaces\{804A7E99-F08A-4061-9A5D-4578AEA20F9C} : DhcpNameServer = 208.33.159.39 71.2.28.14
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\daniel\application data\mozilla\firefox\profiles\tmsh95n6.default\
FF - plugin: c:\documents and settings\daniel\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\daniel\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\games\codec\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\games\codec\divx\divx web player\npdivx32.dll
FF - plugin: c:\games\quick\plugins\npqtplugin.dll
FF - plugin: c:\games\quick\plugins\npqtplugin2.dll
FF - plugin: c:\games\quick\plugins\npqtplugin3.dll
FF - plugin: c:\games\quick\plugins\npqtplugin4.dll
FF - plugin: c:\games\quick\plugins\npqtplugin5.dll
FF - plugin: c:\games\quick\plugins\npqtplugin6.dll
FF - plugin: c:\games\quick\plugins\npqtplugin7.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\games\firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\games\firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\games\firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\games\firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\games\firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\games\firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\games\firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\games\firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\daniel\application data\Move Networks
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-27 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-1-6 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-6 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-25 42184]
R2 gpib420;GPIB Analyzer;c:\windows\system32\drivers\gpib420.sys [2006-2-13 31334]
R2 GpibPrtK;Gpib Port;c:\windows\system32\drivers\GpibPrtK.sys [2006-2-13 199783]
R2 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.dll [2005-7-27 10829]
R2 niarbk;niarbk;c:\windows\system32\drivers\niarbk.dll [2006-7-4 37376]
R2 nibffrk;nibffrk;c:\windows\system32\drivers\nibffrk.dll [2006-7-4 21504]
R2 Nidaq32k;Nidaq32k;c:\windows\system32\drivers\nidaq32k.sys [2006-7-4 674304]
R2 nidimk;nidimk;c:\windows\system32\drivers\nidimk.dll [2006-7-13 159232]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;c:\windows\system32\drivers\nidmmk.dll [2006-7-4 50688]
R2 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfk.dll [2006-7-20 200704]
R2 nidwgk;nidwgk;c:\windows\system32\drivers\nidwgk.dll [2006-7-10 979456]
R2 niemrk;niemrk;c:\windows\system32\drivers\niemrk.dll [2006-7-20 370176]
R2 nifslk;nifslk;c:\windows\system32\drivers\nifslk.dll [2006-7-16 81920]
R2 nigplk;nigplk;c:\windows\system32\drivers\nigplk.dll [2006-2-15 101376]
R2 nihsdrk;nihsdrk;c:\windows\system32\drivers\nihsdrk.dll [2006-7-10 815616]
R2 nimdsk;nimdsk;c:\windows\system32\drivers\nimdsk.dll [2006-7-4 30208]
R2 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpk.dll [2006-7-16 20480]
R2 nipsdk;nipsdk;c:\windows\system32\drivers\nipsdk.dll [2006-7-10 246784]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmk.dll [2006-7-18 71680]
R2 nisldk;nisldk;c:\windows\system32\drivers\nisldk.dll [2006-7-10 395776]
R2 nisrcdk;nisrcdk;c:\windows\system32\drivers\nisrcdk.dll [2006-7-10 965632]
R2 nistck;nistck;c:\windows\system32\drivers\niSTCk.dll [2006-7-4 111616]
R2 niswdk;niswdk;c:\windows\system32\drivers\niswdk.dll [2006-7-16 496640]
R2 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrk.dll [2006-7-20 1746432]
R2 usb6xxxk;usb6xxxk;c:\windows\system32\drivers\usb6xxxk.dll [2006-7-16 19968]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-2-14 59328]
R3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrk.dll [2006-7-16 171520]
R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2k.dll [2006-7-13 248832]
R3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrk.dll [2006-7-16 137728]
R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstsk.dll [2006-7-16 51712]
R3 niscdk;niscdk;c:\windows\system32\drivers\niscdk.dll [2006-7-16 506880]
R3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigk.dll [2006-7-16 240128]
R3 nitiork;nitiork;c:\windows\system32\drivers\nitiork.dll [2006-7-16 790528]
S3 nidsark;nidsark;c:\windows\system32\drivers\nidsark.dll [2006-7-20 648192]
S3 niesrk;niesrk;c:\windows\system32\drivers\niesrk.dll [2006-7-20 500224]
S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [2006-6-5 14464]
S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [2006-6-5 151683]
S3 nipalusb;NI-PAL USB Driver;c:\windows\system32\drivers\nipalusb.sys [2006-7-13 105472]
S3 nisftk;nisftk;c:\windows\system32\drivers\nisftk.dll [2006-7-16 164864]
S3 nismbusk;nismbusk;c:\windows\system32\drivers\nismbusk.sys [2006-7-18 51200]
S3 nispdk;nispdk;c:\windows\system32\drivers\nispdk.dll [2006-7-16 43008]
S3 nissrk;nissrk;c:\windows\system32\drivers\nissrk.dll [2006-7-20 1026560]
S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2k.dll [2006-6-6 163328]
S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrk.dll [2006-7-16 111616]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWK.sys [2006-7-14 8704]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciK.sys [2006-7-14 48128]
S3 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiK.sys [2006-7-14 10752]
S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrk.dll [2006-7-20 434688]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S4 nidevldu;nidevldu;system32\nipalsm.exe --> system32\nipalsm.exe [?]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-07-23 20:25:23 0 ----a-w- c:\documents and settings\daniel\local settings\application data\wame.exe
2011-07-23 20:25:23 0 ----a-w- c:\documents and settings\daniel\local settings\application data\jpqi.exe
2011-07-23 20:25:23 0 ----a-w- c:\documents and settings\daniel\local settings\application data\jaea.exe
2011-07-23 20:25:23 0 ----a-w- c:\documents and settings\daniel\local settings\application data\gdxo.exe
2011-07-23 20:25:23 0 ----a-w- c:\documents and settings\all users\application data\vqkh.exe
2011-07-23 20:25:23 0 ----a-w- c:\documents and settings\all users\application data\pvix.exe
2011-07-23 20:25:23 0 ----a-w- c:\documents and settings\all users\application data\pmgd.exe
2011-07-23 20:25:23 0 ----a-w- c:\documents and settings\all users\application data\nxle.exe
.
==================== Find3M ====================
.
2011-07-23 06:41:38 319 ----a-w- C:\drmHeader.bin
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-04 11:43:53 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:36:43 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-18 04:16:13 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 15:17:42.65 ===============

Hello Dongo :),

Your logs strongly suggest that the computer is for corporate/business/work purposes.

Please read this fifth post (http://forums.spybot.info/showpost.php?p=25712&postcount=5) of the Forum Rules and note the following:

Inform you IT department immediately when any workplace computers have been infected. There could be more than one machine at stake, possibly even the server.
I am unable to proceed further with the fixes due to our policy in dealings with corporate or business computers. The intention of this forum is not to replace a company's IT department.
We are also not willing to be held liable if any sensitive material has been compromised, be it caused by the infections or during the malware removal process. We are only helping out to get rid of malwares from computers, no other intentions or purposes.

It would be advisable to refer to your IT department to have the computer fixed, or you may directly go the local computer shops if it is a personal business.

Thank you for your understanding.

For businesses with Spybot S&D Corporate or Small Business Editions, please contact office support (http://www.safer-networking.ie/en/index.html) for assistance.

Hello Dongo :),

Your logs strongly suggest that the computer is for corporate/business/work purposes.

Please read this fifth post (http://forums.spybot.info/showpost.php?p=25712&postcount=5) of the Forum Rules and note the following:

Inform you IT department immediately when any workplace computers have been infected. There could be more than one machine at stake, possibly even the server.
I am unable to proceed further with the fixes due to our policy in dealings with corporate or business computers. The intention of this forum is not to replace a company's IT department.
We are also not willing to be held liable if any sensitive material has been compromised, be it caused by the infections or during the malware removal process. We are only helping out to get rid of malwares from computers, no other intentions or purposes.

It would be advisable to refer to your IT department to have the computer fixed, or you may directly go the local computer shops if it is a personal business.

Thank you for your understanding.

For businesses with Spybot S&D Corporate or Small Business Editions, please contact office support (http://www.safer-networking.ie/en/index.html) for assistance.

Hello Jack&Jill,

I have read the above mentioned policy before, but it doesn't apply to me as it is not a work computer. I believe what suggests my computer is for work is all the software. I was an engineering student and had to get the software for school. I also do my own engineering projects which require some of the software. I have got help here before with most of the same software installed. If it's not the software is there anything I can do other then tell you this is a personal PC to convince you this is not for work?

Thanks.

Hello Dongo :),

Things are being done differently now.


I also do my own engineering projects Please elaborate.

--------------------

Check for additional security risks

Please download CKScanner© by askey127 and save to your desktop. Click here. (http://downloads.malwareremoval.com/CKScanner.exe)
Double click on CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, click OK.
Post the contents of ckfiles.txt in your reply, it is located on your desktop.

--------------------

Validate Windows

Please download MGADiag.exe from Microsoft and save it to a convenient location. Click here. (http://go.microsoft.com/fwlink/?linkid=52012)
Double click on MGADiag.exe to run it.
Click Continue.
The program will run. It takes a while to finish the diagnosis, please be patient.
Once done, click on Copy.
Open Notepad and paste the contents in. Save this file and post it in your next reply.

--------------------

Please post back:
1. more information on how the computer is being used related to your own projects
2. CKScanner log
3. MGADiag result

1. I build a fly RC planes so I do some things related to that. I made a brushless motor so I used CAD software to design it before I machined it. I also use CAD to make other rc plane parts. I also do various electronic things. I added navigation lights to my plane, so I had to code the software for the micro controller and layout the circuit on a PCB (Circuit CAD software). I am also working on other small circuits such as a DIY servo, a PPM to PWM converter to expand the channels on some of my receivers. I also occasionally write computer programs for various things. I can provide some pictures should you desire.

2.
CKScanner - Additional Security Risks - These are not necessarily bad
c:\games\gimp\gimp2\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
scanner sequence 3.AP.11.FSNADV
----- EOF -----

3. Attached.

Thanks.

Hello Dongo :),

Thank you for hanging on there.

Please download aswMBR and save it to your desktop. Click here. (http://public.avast.com/~gmerek/aswMBR.exe)

Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
If you need help to disable your protection programs see here (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html) and here (http://www.bleepingcomputer.com/forums/topic114351.html).
Double click the aswMBR.exe file to run it.
Click on the Scan button to start. The program will launch a scan.
When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.
Please post the contents of the log in your next reply.

--------------------

Scan with RogueKiller

Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop.
Link 1 (http://www.sur-la-toile.com/RogueKiller/)
Link 2 (http://www.geekstogo.com/forum/files/file/413-roguekiller/)


Allow the download if prompted by your security software and please close all your programs.
Double click on RogueKiller.exe to run it. If it does not run, please try a few times.
A program window will open. Type 1 for Scan and press Enter[/] when prompted.
Once finished, Notepad will open with a log called [b]RKreport.txt, located at the desktop.
Please copy and paste the contents of that log in your next reply.

--------------------

Please post back:
1. aswMBR result
2. RogueKiller log

Thank you for helping me.

1.aswMBR log:
aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-07-31 01:58:27
-----------------------------
01:58:27.631 OS Version: Windows 5.1.2600 Service Pack 3
01:58:27.631 Number of processors: 1 586 0xD06
01:58:27.631 ComputerName: DXL UserName:
01:58:28.252 Initialize success
01:58:28.312 AVAST engine defs: 11073001
01:58:29.945 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
01:58:29.955 Disk 0 Vendor: FUJITSU_MHT2040AH 006C Size: 38154MB BusType: 3
01:58:32.007 Disk 0 MBR read successfully
01:58:32.018 Disk 0 MBR scan
01:58:32.038 Disk 0 Windows XP default MBR code
01:58:32.068 Disk 0 scanning sectors +78124095
01:58:32.188 Disk 0 scanning C:\WINDOWS\system32\drivers
01:59:10.763 Service scanning
01:59:12.035 Modules scanning
01:59:34.347 Disk 0 trace - called modules:
01:59:34.367 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
01:59:34.367 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a9c2ab8]
01:59:34.367 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8aa0fd98]
01:59:35.038 AVAST engine scan C:\WINDOWS
02:00:24.589 AVAST engine scan C:\WINDOWS\system32
02:04:27.308 AVAST engine scan C:\WINDOWS\system32\drivers
02:05:13.935 AVAST engine scan C:\Documents and Settings\Daniel
02:18:36.519 AVAST engine scan C:\Documents and Settings\All Users
02:21:15.108 Scan finished successfully
02:34:07.568 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Daniel\Desktop\MBR.dat"
02:34:07.598 The log file has been saved successfully to "C:\Documents and Settings\Daniel\Desktop\aswMBR.txt"


2.RogueKiller log:
RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Daniel [Admin rights]
Mode: Scan -- Date : 07/31/2011 02:34:49

Bad processes: 0

Registry Entries: 1
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

HOSTS File:
127.0.0.1 localhost
+ many lines from Spybot
[...]


Finished : << RKreport[1].txt >>
RKreport[1].txt

Hello Dongo :),

Besides the firewall issue, what other symptoms or problems are you experiencing?

--------------------

Please uninstall Spybot as its real time protection may interfere with our fixes. You can install it back after we are done.

RogueKiller in action

Please rerun RogueKiller.
At the prompt, type 2 for Remove and press Enter.
Try a few times if it does not run.
Post back the new result.

--------------------

I want you to update MBAM and run a scan.

Open MBAM and click on the Update tab, then Check for Updates.
When completed, go to back to the Scanner tab and select Perform full scan. Click Scan.
Leave the default options as it is and click on Start Scan.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
When done, you will be prompted. Click OK, then click on Show Results.
Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
After it has removed the items, a log in Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware. If you receive an (Error Loading) error on reboot, please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.

--------------------

Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.

Click here (http://www.eset.com/onlinescan/) to go to ESET Online Scanner page.
Click on Run ESET Online Scanner. A new window will open.
For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
You will be prompted to install an ActiveX Control from ESET. Please install.
At the Computer scan settings section, uncheck (untick) Remove found threats. <-- Important, do not remove anything yet.
Then, check Scan archives.
Now, click on Advanced settings and make sure all these are checked:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology
Click on Scan to proceed.
When done, the scan result will be shown. Look for C:\Program Files\ESET\ESET Online Scanner\log.txt and open the file.
Post the contents in your reply.

If the contents of log.txt do not reflect what is shown in the result window, click on List of found threats, then Export to text file..., save a file and post that instead.

--------------------

Please post back:
1. more details of problem
2. RogueKiller log
3. MBAM report
4. ESET online scan result

1. The only problem was the firewall. After the MBAM scan that removed some things, I restarted in normal windows mode and the firewall was on. I then ran an Avast boot time scan and when it was done the computer started but after maybe 3-5mins the firewall went off. I turned it on again and it has stayed on so far. That has been the only symptom I have seen. I am not sure why the firewall turned off after MBAM cleaned the infection, so I am not sure it is gone.

2.
RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Daniel [Admin rights]
Mode: Remove -- Date : 08/01/2011 00:28:03

Bad processes: 0

Registry Entries: 1
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

HOSTS File:
127.0.0.1 localhost
+ many lines from Spybot
[...]


Finished : << RKreport[4].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt


3.
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7343

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/1/2011 1:55:32 AM
mbam-log-2011-08-01 (01-55-32).txt

Scan type: Full scan (C:\|)
Objects scanned: 291065
Time elapsed: 1 hour(s), 24 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



4.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=0ccef0b349ae614db69c84067a300d60
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-08-01 07:55:58
# local_time=2011-08-01 03:55:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=770 16774141 100 100 639749 87967423 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=121409
# found=6
# cleaned=0
# scan_time=6209
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\6.0\16\40abb910-29db0a55 a variant of Win32/Kryptik.QXL trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\6.0\27\6184729b-34bddc2e a variant of Java/TrojanDownloader.OpenStream.NAD trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\6.0\38\51301ce6-64cfd87d multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\6.0\6\3f054e06-60f2c7e8 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Games\FLV\Setup_FreeFlvConverterN.exe Win32/Adware.Toolbar.Dealio application (unable to clean) 00000000000000000000000000000000 I

Hello Dongo :),

Please download ERUNT© by Lars Hederer from one of the links below and save it to your desktop.

Link 1 (http://aumha.org/downloads/erunt-setup.exe)
Link 2 (http://download.cnet.com/ERUNT/3000-2242_4-49213.html)
Link 3 (http://majorgeeks.com/Erunt_d1267.html)

Backup your registry with ERUNT

Double click on erunt-setup.exe and run the installation setup.
Follow the setup instructions until you reach Select Additional Tasks, uncheck (untick) Create NTREGOPT desktop icon.
Continue until you get prompted to run ERUNT at startup. Choose No.
Next, make sure Launch ERUNT is checked (ticked) and click Finish.
Click OK when ERUNT is launched, and accept all default setting. ERUNT will then backup the registry.

--------------------

Please download OTM© by Old Timer from one of the links below and save it to your desktop.

Link 1 (http://oldtimer.geekstogo.com/OTM.exe)
Link 2 (http://www.itxassociates.com/OT-Tools/OTM.exe)


Double click OTM.exe to run it.
Copy and paste the following text into the white box under Paste Instructions for Items to be Moved:

:files
c:\documents and settings\daniel\local settings\application data\wame.exe
c:\documents and settings\daniel\local settings\application data\jpqi.exe
c:\documents and settings\daniel\local settings\application data\jaea.exe
c:\documents and settings\daniel\local settings\application data\gdxo.exe
c:\documents and settings\all users\application data\vqkh.exe
c:\documents and settings\all users\application data\pvix.exe
c:\documents and settings\all users\application data\pmgd.exe
c:\documents and settings\all users\application data\nxle.exe
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\6.0\16\40abb910-29db0a55
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\6.0\27\6184729b-34bddc2e
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\6.0\38\51301ce6-64cfd87d
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\6.0\6\3f054e06-60f2c7e8
C:\Games\FLV\Setup_FreeFlvConverterN.exe

:reg
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{4314F235-1E09-4193-AAAE-042D73E41824}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{A78FAF59-B270-4B28-A275-68A94333847F}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{F9C48591-50FA-4A03-BB63-5F3B832C8D88}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}]

:commands
[CREATERESTOREPOINT]
[emptytemp]
Click the red MoveIt! button.
Copy everything in the Results window (under the green bar) and paste it in your next reply.
The results can also be found in C:\_OTM\MovedFiles folder, the log file being named MMDDYYYY_HHMMSS.log, where MMDDYYYY_HHMMSS represent the date and time the fix was performed.

--------------------

Please post back:
1. the OTM log

Sorry I zipped the previous logs as you edited the links outs in the one before that, so I thought it would be better to do it that way.

Otm log:
All processes killed
========== FILES ==========
c:\documents and settings\daniel\local settings\application data\wame.exe moved successfully.
c:\documents and settings\daniel\local settings\application data\jpqi.exe moved successfully.
c:\documents and settings\daniel\local settings\application data\jaea.exe moved successfully.
c:\documents and settings\daniel\local settings\application data\gdxo.exe moved successfully.
c:\documents and settings\all users\application data\vqkh.exe moved successfully.
c:\documents and settings\all users\application data\pvix.exe moved successfully.
c:\documents and settings\all users\application data\pmgd.exe moved successfully.
c:\documents and settings\all users\application data\nxle.exe moved successfully.
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\6.0\16\40abb910-29db0a55 moved successfully.
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\6.0\27\6184729b-34bddc2e moved successfully.
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\6.0\38\51301ce6-64cfd87d moved successfully.
C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\6.0\6\3f054e06-60f2c7e8 moved successfully.
C:\Games\FLV\Setup_FreeFlvConverterN.exe moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{4314F235-1E09-4193-AAAE-042D73E41824}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4314F235-1E09-4193-AAAE-042D73E41824}\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{A78FAF59-B270-4B28-A275-68A94333847F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A78FAF59-B270-4B28-A275-68A94333847F}\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{F9C48591-50FA-4A03-BB63-5F3B832C8D88}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9C48591-50FA-4A03-BB63-5F3B832C8D88}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.
========== COMMANDS ==========
Restore point Set: OTM Restore Point (0)

[EMPTYTEMP]

Hello Dongo :),

No worries about the previous posting of logs. One more round of checking, and if positive, you shall be good to go. I will provide some security recommendations at the end.

Your Adobe Reader is outdated. Older versions have security vulnerabilities that can be exploited.

Please update your Adobe Reader to the latest.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Adobe Reader 9.4.5


Go to the Adobe download page. Click here. (http://get.adobe.com/reader/)
If your OS is not the same as stated, click on Do you have a different language or operating system? link.
Under the Select an operating system title, choose the OS that you have.
Change the language at the Select a language title.
Next, select the version of the reader at the Select a Version title.
Uncheck (untick) to opt out of Google Chrome installation.
Click the Download now button to proceed. Allow if prompted and save the file to a convenient location.
Run the downloaded file to continue with the installation.
If your OS is the same, uncheck (untick) to opt out of McAfee Security Scan Plus installation.
Click Download to proceed. Allow if prompted and save the file to a convenient location.
Run the downloaded file to continue with the installation.

Alternatively, you can try Foxit Reader Portable (http://download.cnet.com/Foxit-Reader-Portable/3000-18497_4-75157356.html) or Nuance PDF Reader (http://download.cnet.com/Nuance-PDF-Reader/3000-18497_4-75128752.html).

--------------------

Your Firefox browser is outdated. Older versions have security vulnerabilities that can be exploited.

Please update your Firefox browser to the latest. You may need to use Internet Explorer temporarily for this, or download the program first before continuing the uninstall step.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Mozilla Firefox (3.6.18)


Go to the Mozilla Firefox download page. Click here. (http://www.mozilla.com/en-US/firefox/upgrade.html)
Click on the Free Download button and save the setup file to a convenient location.
Double click on the setup file and follow the steps accordingly.

--------------------

You should always keep your Java updated to the latest version too.

To set for automatic updates of Java, Go to Start > Control Panel.
Double click on the Java icon to open the Java Control Panel.
Click on the Update tab.
Make sure the option Check for Updates Automatically is ticked.
You can also update Java manually via the Update Now button, then continue accordingly.
Click on OK when you are done.

--------------------

Please close all programs and do not run any others before and during the Rootkit Unhooker scan. Do not use the computer for anything else until after the scan is completed.

Please download Rootkit Unhooker and save it to your desktop. Click here. (http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE)

Double click RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Ensure the following are checked (ticked):

Drivers
Stealth Code
Files
Code Hooks
Uncheck the rest, then click OK. An initial scan will be performed.
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
Wait until the scanner is done, then click on File at the pull down menu, followed by Save Report.
Save the report somewhere you can find it. Click Close to exit.
Copy the entire contents of the report and paste it in your next reply.

You may get a warning about parasite detection. Please click OK to continue.

--------------------

Do an online scan with Panda ActiveScan.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.

Click here (http://www.pandasecurity.com/activescan/index/) to go to Panda ActiveScan page.
Click on Scan now. The default setting is a Full scan.
You will be prompted to install an ActiveX Control from Panda. Please install.
Components of the scanner will be downloaded and updated as well. Then, scanning will commence.
When finished, the scan results will be shown. Click on the small icon besides Export to: and save the log to your desktop.
Post the contents of this log in your reply.

--------------------

Please post back:
1. Rootkit Unhooker log
2. Panda ActiveScan result
3. new DDS log (DDS.txt only)
4. any more problems?

1.
RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 3915776 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 78.11 )
0xB849C000 C:\WINDOWS\System32\DRIVERS\nv4_mini.sys 3211264 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 78.11 )
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2192768 bytes
0x804D7000 RAW 2192768 bytes
0x804D7000 WMIxWDM 2192768 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB3CFA000 C:\WINDOWS\system32\drivers\nixsrk.dll 1773568 bytes (National Instruments Corporation, NI M-Series Runtime)
0xB8231000 C:\WINDOWS\System32\DRIVERS\HSF_DP.sys 1064960 bytes (Conexant Systems, Inc., HSF_DP driver)
0xB4304000 C:\WINDOWS\system32\drivers\nidwgk.dll 995328 bytes (National Instruments Corporation, NI Digital Waveform Generator)
0xB444D000 C:\WINDOWS\system32\drivers\nisrcdk.dll 983040 bytes (National Instruments Corporation, NI Sources Driver Component)
0xB413A000 C:\WINDOWS\system32\drivers\nihsdrk.dll 831488 bytes (National Instruments Corporation, High Speed Digitizer Runtime)
0xB3EAB000 C:\WINDOWS\system32\drivers\nitiork.dll 806912 bytes (National Instruments Corporation, NI TIO Counter Runtime Library)
0xB474F000 C:\WINDOWS\System32\Drivers\Nidaq32k.SYS 696320 bytes (National Instruments Corporation, NI-DAQ Windows NT Kernel Driver)
0xB8196000 C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys 634880 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF7B49000 nipalk.sys 614400 bytes (National Instruments Corporation, NI-PAL Driver for Windows)
0xBA773000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB40B9000 C:\WINDOWS\system32\drivers\niscdk.dll 528384 bytes (National Instruments Corporation, NI Signal Conditioning Driver Component)
0xB3F70000 C:\WINDOWS\system32\drivers\niswdk.dll 516096 bytes (National Instruments Corporation, NI Switch Drivers)
0xB6E17000 C:\WINDOWS\System32\Drivers\aswSnx.SYS 458752 bytes (AVAST Software, avast! Virtualization Driver)
0xB6ED1000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB3FEE000 C:\WINDOWS\system32\drivers\nisldk.dll 409600 bytes (National Instruments Corporation, NI 4070 for PXI Driver Component)
0xB4205000 C:\WINDOWS\system32\drivers\niemrk.dll 389120 bytes (National Instruments Corporation, NI Embedded Runtime)
0xB80B8000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB7004000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB4AB4000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB8417000 C:\WINDOWS\System32\DRIVERS\bcmwl5.sys 315392 bytes (Broadcom Corporation, BCM 802.11g Network Adapter wireless driver)
0xB6E87000 C:\WINDOWS\System32\Drivers\aswSP.SYS 303104 bytes (AVAST Software, avast! self protection module)
0xBF3CE000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB310B000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB466A000 C:\WINDOWS\system32\drivers\nimru2k.dll 266240 bytes (National Instruments Corporation, NI Measurement Routing Utilities)
0xB8388000 C:\WINDOWS\system32\drivers\STAC97.sys 266240 bytes (SigmaTel, Inc., SigmaTel Audio Driver (WDM))
0xB4565000 C:\WINDOWS\system32\drivers\nipsdk.dll 262144 bytes (National Instruments Corporation, NI PXI-4110 Driver Component)
0xB4052000 C:\WINDOWS\system32\drivers\nisdigk.dll 258048 bytes (National Instruments Corporation, NI Static Digital Component)
0xB4837000 C:\WINDOWS\system32\drivers\nimxdfk.dll 237568 bytes (National Instruments Corporation, NI mx Driver Framework)
0xB4709000 C:\WINDOWS\system32\drivers\nidmxfk.dll 217088 bytes (National Instruments Corporation, NI-DAQmx Framework)
0xB4B0C000 C:\WINDOWS\System32\drivers\gpibprtk.sys 208896 bytes (National Instruments Corporation, NI-488.2 Kernel Mode Driver)
0xB813E000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB8335000 C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys 192512 bytes (Conexant Systems, Inc., HSFHWICH WDM driver)
0xB4882000 C:\WINDOWS\system32\drivers\nimdbgk.dll 192512 bytes (National Instruments Corporation, NI Measurements DeBuG Library)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB43F7000 C:\WINDOWS\system32\drivers\nicdrk.dll 188416 bytes (National Instruments Corporation, NI Common Digital Runtime)
0xB4C18000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7419000 C:\WINDOWS\System32\drivers\NDIS.SYS 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xAB67A000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB48B1000 C:\WINDOWS\system32\drivers\nidimk.dll 176128 bytes (National Instruments Corporation, NI Device Interconnect Manager)
0xB6F41000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB6F8E000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB6FDE000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB45A5000 C:\WINDOWS\system32\drivers\nimsdrk.dll 151552 bytes (National Instruments Corporation, NI Measurements Streaming DMA Runtime Component)
0xB8364000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB8464000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB83C9000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB6F6C000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF7482000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB49CC000 C:\WINDOWS\system32\drivers\nistck.dll 131072 bytes (National Instruments Corporation, STC Manager for Windows (Kernel))
0xF74BA000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF74D9000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xB46D3000 C:\WINDOWS\system32\drivers\nigplk.dll 118784 bytes (National Instruments Corporation, NI General Primitive Library Component)
0xBA6A8000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB46F0000 C:\WINDOWS\system32\drivers\nifslk.dll 102400 bytes (National Instruments Corporation, NI Fusion Standard Library)
0xF74A2000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB6DD7000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB8400000 C:\WINDOWS\System32\DRIVERS\Apfiltr.sys 94208 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0xB4E4D000 C:\WINDOWS\System32\Drivers\aswMon2.SYS 94208 bytes (AVAST Software, avast! File System Filter Driver for Windows XP)
0xF7459000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB817F000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB4821000 C:\WINDOWS\system32\drivers\nipxirmk.dll 90112 bytes (National Instruments Corporation, NI PXI Resource Manager)
0xB3495000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB83EC000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB8488000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0x806EF000 ACPI_HAL 81152 bytes
0x806EF000 C:\WINDOWS\system32\hal.dll 81152 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB705D000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF7446000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7470000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB473E000 C:\WINDOWS\system32\drivers\nidmmk.dll 69632 bytes (National Instruments Corporation, NIDMM Kernel Mode Component for WinNT/2k)
0xB4871000 C:\WINDOWS\system32\drivers\nimstsk.dll 69632 bytes (National Instruments Corporation, NI Measurements Status Component)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB816E000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA762000 sfdrv01.sys 69632 bytes (Protection Technology, StarForce Protection Environment Driver)
0xBA3C3000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7557000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7657000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF7577000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7537000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF76F7000 C:\WINDOWS\System32\DRIVERS\gticard.sys 61440 bytes (Texas Instruments, Texas Instruments GemCore IFD Handler)
0xF7547000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB4A1C000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA732000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7667000 C:\WINDOWS\System32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xB4CB5000 C:\WINDOWS\system32\drivers\niorbk.dll 57344 bytes (National Instruments Corporation, NI Object Request Broker)
0xF7637000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7587000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB9C3D000 C:\WINDOWS\system32\drivers\niarbk.dll 53248 bytes (National Instruments Corporation, NI-ARB Kernel Library for Windows)
0xF7527000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7507000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7677000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xBA6E2000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB4CD5000 C:\WINDOWS\System32\drivers\gpib420.sys 45056 bytes (National Instruments Corporation, GPIB Analyzer Driver)
0xF7567000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB4CF5000 C:\WINDOWS\system32\drivers\nimdsk.dll 45056 bytes (National Instruments Corporation, NI-MDS Kernel Library for Windows)
0xF7517000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA742000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB4CE5000 C:\WINDOWS\system32\drivers\nimxpk.dll 40960 bytes (National Instruments Corporation, NI Measurements eXtensions for PAL)
0xB4BC8000 C:\WINDOWS\System32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xBA752000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB4BA8000 C:\WINDOWS\system32\drivers\usb6xxxk.dll 40960 bytes (National Instruments Corporation, usb6xxx)
0xBA722000 C:\WINDOWS\System32\Drivers\aswTdi.SYS 36864 bytes (AVAST Software, avast! TDI Filter Driver)
0xB45DA000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA6D2000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF76E7000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF74F7000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA702000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB4D25000 C:\WINDOWS\system32\drivers\nibffrk.dll 36864 bytes (National Instruments Corporation, NI Buffer Services Kernel Library for Windows)
0xF7647000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA712000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF777F000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xB9D64000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF771F000 sfhlp02.sys 32768 bytes (Protection Technology, StarForce Protection Helper Driver)
0xB9D3C000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7747000 C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB9D1C000 C:\WINDOWS\system32\drivers\lvalarmk.dll 28672 bytes (National Instruments, lvalarms)
0xF7707000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7777000 C:\WINDOWS\System32\Drivers\Aavmker4.SYS 24576 bytes (AVAST Software, avast! Base Kernel-Mode Device Driver for Windows NT/2000/XP)
0xF7757000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF774F000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB9D2C000 C:\WINDOWS\system32\drivers\tiumfwl.sys 24576 bytes (Texas Instruments Inc., tiumfwl.sys)
0xB9D44000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF780F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB9D4C000 C:\WINDOWS\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
0xF781F000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF77CF000 C:\WINDOWS\System32\DRIVERS\omci.sys 20480 bytes (Dell Inc, OMCI Device Driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF779F000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF77AF000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF7717000 C:\WINDOWS\System32\drivers\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77E7000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF789F000 C:\WINDOWS\System32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA648000 C:\WINDOWS\System32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB5050000 C:\WINDOWS\System32\DRIVERS\mdc8021x.sys 16384 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xBA684000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB5048000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA5F0000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA5FC000 C:\WINDOWS\System32\DRIVERS\SMCLIB.SYS 16384 bytes (Microsoft Corporation, Smard Card Driver Library)
0xBA658000 C:\WINDOWS\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF789B000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB6FBA000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB811E000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xBA640000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xB4C61000 C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF794B000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF792F000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA5F4000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB518E000 C:\WINDOWS\system32\Drivers\BASFND.sys 8192 bytes (Broadcom Corporation, Broadcom NetDetect Driver.)
0xF79D3000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF79A3000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79CF000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF798B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79D7000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79AB000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF79DB000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79BF000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF798D000 tiumflt.sys 8192 bytes (Texas Instruments Inc., tiumflt.sys)
0xF79C9000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xB9537000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA543000 C:\WINDOWS\System32\Drivers\cvintdrv.SYS 4096 bytes
0xF7AB3000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xB87B3000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B75C, Type: Inline - RelativeJump 0x804E275C-->804E2742 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B7D4, Type: Inline - RelativeJump 0x804E27D4-->804E27BA [ntoskrnl.exe]
ntoskrnl.exe+0x0000B804, Type: Inline - RelativeJump 0x804E2804-->D7BF08C1 [unknown_code_page]
ntoskrnl.exe+0x0000B880, Type: Inline - RelativeJump 0x804E2880-->804E2852 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B894, Type: Inline - RelativeJump 0x804E2894-->804E2865 [ntoskrnl.exe]
ntoskrnl.exe+0x0000B8DC, Type: Inline - RelativeJump 0x804E28DC-->DE016599 [unknown_code_page]
ntoskrnl.exe+0x0000B9B8, Type: Inline - RelativeJump 0x804E29B8-->E54CAC75 [unknown_code_page]
ntoskrnl.exe+0x0000B9E8, Type: Inline - RelativeCall 0x804E29E8-->FD050EC3 [unknown_code_page]
ntoskrnl.exe-->NtCreateProcessEx, Type: Inline - RelativeJump 0x8058124C-->B6EA639C [aswSP.SYS]
ntoskrnl.exe-->ObInsertObject, Type: Inline - RelativeJump 0x805650BA-->B6EA37F2 [aswSP.SYS]
ntoskrnl.exe-->ObMakeTemporaryObject, Type: Inline - RelativeJump 0x805A038B-->B6EA1D4C [aswSP.SYS]
[1004]BAsfIpM.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->00390C0C [unknown_code_page]
[1004]BAsfIpM.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->00390E10 [unknown_code_page]
[1004]BAsfIpM.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->00390804 [unknown_code_page]
[1004]BAsfIpM.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->00390A08 [unknown_code_page]
[1004]BAsfIpM.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->003901F8 [unknown_code_page]
[1004]BAsfIpM.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->003903FC [unknown_code_page]
[1004]BAsfIpM.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->00390600 [unknown_code_page]
[1004]BAsfIpM.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->00391014 [unknown_code_page]
[1004]BAsfIpM.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[1004]BAsfIpM.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[1004]BAsfIpM.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->001401F8 [unknown_code_page]
[1004]BAsfIpM.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->001403FC [unknown_code_page]
[1004]BAsfIpM.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->00380600 [unknown_code_page]
[1004]BAsfIpM.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->00380804 [unknown_code_page]
[1004]BAsfIpM.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->003801F8 [unknown_code_page]
[1004]BAsfIpM.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->00380A08 [unknown_code_page]
[1004]BAsfIpM.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->003803FC [unknown_code_page]
[1048]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002B0C0C [unknown_code_page]
[1048]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002B0E10 [unknown_code_page]
[1048]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002B0804 [unknown_code_page]
[1048]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002B0A08 [unknown_code_page]
[1048]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002B01F8 [unknown_code_page]
[1048]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002B03FC [unknown_code_page]
[1048]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002B0600 [unknown_code_page]
[1048]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002B1014 [unknown_code_page]
[1048]svchost.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[1048]svchost.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[1048]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[1048]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[1048]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002C0600 [unknown_code_page]
[1048]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002C0804 [unknown_code_page]
[1048]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002C01F8 [unknown_code_page]
[1048]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002C0A08 [unknown_code_page]
[1048]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002C03FC [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002B0C0C [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002B0E10 [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002B0804 [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002B0A08 [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002B01F8 [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002B03FC [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002B0600 [unknown_code_page]
[1112]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002B1014 [unknown_code_page]
[1112]svchost.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[1112]svchost.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[1112]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[1112]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[1112]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002C0600 [unknown_code_page]
[1112]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002C0804 [unknown_code_page]
[1112]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002C01F8 [unknown_code_page]
[1112]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002C0A08 [unknown_code_page]
[1112]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002C03FC [unknown_code_page]
[1144]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002B0C0C [unknown_code_page]
[1144]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002B0E10 [unknown_code_page]
[1144]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002B0804 [unknown_code_page]
[1144]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002B0A08 [unknown_code_page]
[1144]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002B01F8 [unknown_code_page]
[1144]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002B03FC [unknown_code_page]
[1144]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002B0600 [unknown_code_page]
[1144]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002B1014 [unknown_code_page]
[1144]svchost.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[1144]svchost.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[1144]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[1144]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[1144]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002C0600 [unknown_code_page]
[1144]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002C0804 [unknown_code_page]
[1144]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002C01F8 [unknown_code_page]
[1144]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002C0A08 [unknown_code_page]
[1144]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002C03FC [unknown_code_page]
[1268]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002B0C0C [unknown_code_page]
[1268]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002B0E10 [unknown_code_page]
[1268]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002B0804 [unknown_code_page]
[1268]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002B0A08 [unknown_code_page]
[1268]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002B01F8 [unknown_code_page]
[1268]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002B03FC [unknown_code_page]
[1268]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002B0600 [unknown_code_page]
[1268]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002B1014 [unknown_code_page]
[1268]svchost.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[1268]svchost.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[1268]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[1268]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[1268]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002C0600 [unknown_code_page]
[1268]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002C0804 [unknown_code_page]
[1268]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002C01F8 [unknown_code_page]
[1268]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002C0A08 [unknown_code_page]
[1268]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002C03FC [unknown_code_page]
[1292]mdm.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->00380C0C [unknown_code_page]
[1292]mdm.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->00380E10 [unknown_code_page]
[1292]mdm.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->00380804 [unknown_code_page]
[1292]mdm.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->00380A08 [unknown_code_page]
[1292]mdm.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->003801F8 [unknown_code_page]
[1292]mdm.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->003803FC [unknown_code_page]
[1292]mdm.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->00380600 [unknown_code_page]
[1292]mdm.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->00381014 [unknown_code_page]
[1292]mdm.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[1292]mdm.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[1292]mdm.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->001401F8 [unknown_code_page]
[1292]mdm.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->001403FC [unknown_code_page]
[1292]mdm.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->00390600 [unknown_code_page]
[1292]mdm.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->00390804 [unknown_code_page]
[1292]mdm.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->003901F8 [unknown_code_page]
[1292]mdm.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->00390A08 [unknown_code_page]
[1292]mdm.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->003903FC [unknown_code_page]
[1300]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002B0C0C [unknown_code_page]
[1300]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002B0E10 [unknown_code_page]
[1300]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002B0804 [unknown_code_page]
[1300]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002B0A08 [unknown_code_page]
[1300]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002B01F8 [unknown_code_page]
[1300]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002B03FC [unknown_code_page]
[1300]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002B0600 [unknown_code_page]
[1300]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002B1014 [unknown_code_page]
[1300]svchost.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[1300]svchost.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[1300]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[1300]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[1300]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002C0600 [unknown_code_page]
[1300]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002C0804 [unknown_code_page]
[1300]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002C01F8 [unknown_code_page]
[1300]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002C0A08 [unknown_code_page]
[1300]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002C03FC [unknown_code_page]
[1428]nvsvc32.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->00390C0C [unknown_code_page]
[1428]nvsvc32.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->00390E10 [unknown_code_page]
[1428]nvsvc32.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->00390804 [unknown_code_page]
[1428]nvsvc32.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->00390A08 [unknown_code_page]
[1428]nvsvc32.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->003901F8 [unknown_code_page]
[1428]nvsvc32.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->003903FC [unknown_code_page]
[1428]nvsvc32.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->00390600 [unknown_code_page]
[1428]nvsvc32.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->00391014 [unknown_code_page]
[1428]nvsvc32.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[1428]nvsvc32.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[1428]nvsvc32.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->001401F8 [unknown_code_page]
[1428]nvsvc32.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->001403FC [unknown_code_page]
[1428]nvsvc32.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->00380600 [unknown_code_page]
[1428]nvsvc32.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->00380804 [unknown_code_page]
[1428]nvsvc32.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->003801F8 [unknown_code_page]
[1428]nvsvc32.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->00380A08 [unknown_code_page]
[1428]nvsvc32.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->003803FC [unknown_code_page]
[1476]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002B0C0C [unknown_code_page]
[1476]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002B0E10 [unknown_code_page]
[1476]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002B0804 [unknown_code_page]
[1476]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002B0A08 [unknown_code_page]
[1476]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002B01F8 [unknown_code_page]
[1476]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002B03FC [unknown_code_page]
[1476]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002B0600 [unknown_code_page]
[1476]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002B1014 [unknown_code_page]
[1476]svchost.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[1476]svchost.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[1476]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[1476]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[1476]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002C0600 [unknown_code_page]
[1476]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002C0804 [unknown_code_page]
[1476]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002C01F8 [unknown_code_page]
[1476]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002C0A08 [unknown_code_page]
[1476]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002C03FC [unknown_code_page]
[1500]ViewpointService.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->00390C0C [unknown_code_page]
[1500]ViewpointService.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->00390E10 [unknown_code_page]
[1500]ViewpointService.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->00390804 [unknown_code_page]
[1500]ViewpointService.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->00390A08 [unknown_code_page]
[1500]ViewpointService.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->003901F8 [unknown_code_page]
[1500]ViewpointService.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->003903FC [unknown_code_page]
[1500]ViewpointService.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->00390600 [unknown_code_page]
[1500]ViewpointService.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->00391014 [unknown_code_page]
[1500]ViewpointService.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[1500]ViewpointService.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[1500]ViewpointService.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->001401F8 [unknown_code_page]
[1500]ViewpointService.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->001403FC [unknown_code_page]
[1500]ViewpointService.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->00380600 [unknown_code_page]
[1500]ViewpointService.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->00380804 [unknown_code_page]
[1500]ViewpointService.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->003801F8 [unknown_code_page]
[1500]ViewpointService.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->00380A08 [unknown_code_page]
[1500]ViewpointService.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->003803FC [unknown_code_page]
[1568]WLTRYSVC.EXE-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->00390C0C [unknown_code_page]
[1568]WLTRYSVC.EXE-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->00390E10 [unknown_code_page]
[1568]WLTRYSVC.EXE-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->00390804 [unknown_code_page]
[1568]WLTRYSVC.EXE-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->00390A08 [unknown_code_page]
[1568]WLTRYSVC.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->003901F8 [unknown_code_page]
[1568]WLTRYSVC.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->003903FC [unknown_code_page]
[1568]WLTRYSVC.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->00390600 [unknown_code_page]
[1568]WLTRYSVC.EXE-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->00391014 [unknown_code_page]
[1568]WLTRYSVC.EXE-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[1568]WLTRYSVC.EXE-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[1568]WLTRYSVC.EXE-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->001401F8 [unknown_code_page]
[1568]WLTRYSVC.EXE-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->001403FC [unknown_code_page]
[1568]WLTRYSVC.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->00380600 [unknown_code_page]
[1568]WLTRYSVC.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->00380804 [unknown_code_page]
[1568]WLTRYSVC.EXE-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->003801F8 [unknown_code_page]
[1568]WLTRYSVC.EXE-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->00380A08 [unknown_code_page]
[1568]WLTRYSVC.EXE-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->003803FC [unknown_code_page]
[1636]AvastSvc.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[1636]AvastSvc.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - PushRet 0x7C84495D-->EC900004 [unknown_code_page]
[1636]AvastSvc.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Code Mismatch 0x7C84495D + 3 [90]
[1636]AvastSvc.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[1696]BCMWLTRY.EXE-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->003A0C0C [unknown_code_page]
[1696]BCMWLTRY.EXE-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->003A0E10 [unknown_code_page]
[1696]BCMWLTRY.EXE-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->003A0804 [unknown_code_page]
[1696]BCMWLTRY.EXE-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->003A0A08 [unknown_code_page]
[1696]BCMWLTRY.EXE-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->003A01F8 [unknown_code_page]
[1696]BCMWLTRY.EXE-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->003A03FC [unknown_code_page]
[1696]BCMWLTRY.EXE-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->003A0600 [unknown_code_page]
[1696]BCMWLTRY.EXE-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->003A1014 [unknown_code_page]
[1696]BCMWLTRY.EXE-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[1696]BCMWLTRY.EXE-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[1696]BCMWLTRY.EXE-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->001501F8 [unknown_code_page]
[1696]BCMWLTRY.EXE-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->001503FC [unknown_code_page]
[1696]BCMWLTRY.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->003B0600 [unknown_code_page]
[1696]BCMWLTRY.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->003B0804 [unknown_code_page]
[1696]BCMWLTRY.EXE-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->003B01F8 [unknown_code_page]
[1696]BCMWLTRY.EXE-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->003B0A08 [unknown_code_page]
[1696]BCMWLTRY.EXE-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->003B03FC [unknown_code_page]
[1928]DLG.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->003A0C0C [unknown_code_page]
[1928]DLG.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->003A0E10 [unknown_code_page]
[1928]DLG.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->003A0804 [unknown_code_page]
[1928]DLG.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->003A0A08 [unknown_code_page]
[1928]DLG.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->003A01F8 [unknown_code_page]
[1928]DLG.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->003A03FC [unknown_code_page]
[1928]DLG.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->003A0600 [unknown_code_page]
[1928]DLG.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->003A1014 [unknown_code_page]
[1928]DLG.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[1928]DLG.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[1928]DLG.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->001501F8 [unknown_code_page]
[1928]DLG.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->001503FC [unknown_code_page]
[1928]DLG.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->00390600 [unknown_code_page]
[1928]DLG.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->00390804 [unknown_code_page]
[1928]DLG.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->003901F8 [unknown_code_page]
[1928]DLG.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->00390A08 [unknown_code_page]
[1928]DLG.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->003903FC [unknown_code_page]
[2148]alg.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002C0C0C [unknown_code_page]
[2148]alg.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002C0E10 [unknown_code_page]
[2148]alg.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002C0804 [unknown_code_page]
[2148]alg.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002C0A08 [unknown_code_page]
[2148]alg.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002C01F8 [unknown_code_page]
[2148]alg.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002C03FC [unknown_code_page]
[2148]alg.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002C0600 [unknown_code_page]
[2148]alg.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002C1014 [unknown_code_page]
[2148]alg.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[2148]alg.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[2148]alg.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[2148]alg.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[2148]alg.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002B0600 [unknown_code_page]
[2148]alg.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002B0804 [unknown_code_page]
[2148]alg.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002B01F8 [unknown_code_page]
[2148]alg.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002B0A08 [unknown_code_page]
[2148]alg.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002B03FC [unknown_code_page]
[2340]logon.scr-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[2340]logon.scr-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[2672]wscntfy.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002E0C0C [unknown_code_page]
[2672]wscntfy.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002E0E10 [unknown_code_page]
[2672]wscntfy.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002E0804 [unknown_code_page]
[2672]wscntfy.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002E0A08 [unknown_code_page]
[2672]wscntfy.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002E01F8 [unknown_code_page]
[2672]wscntfy.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002E03FC [unknown_code_page]
[2672]wscntfy.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002E0600 [unknown_code_page]
[2672]wscntfy.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002E1014 [unknown_code_page]
[2672]wscntfy.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[2672]wscntfy.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[2672]wscntfy.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[2672]wscntfy.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[2672]wscntfy.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002D0600 [unknown_code_page]
[2672]wscntfy.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002D0804 [unknown_code_page]
[2672]wscntfy.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002D01F8 [unknown_code_page]
[2672]wscntfy.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002D0A08 [unknown_code_page]
[2672]wscntfy.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002D03FC [unknown_code_page]
[2812]explorer.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002C0C0C [unknown_code_page]
[2812]explorer.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002C0E10 [unknown_code_page]
[2812]explorer.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002C0804 [unknown_code_page]
[2812]explorer.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002C0A08 [unknown_code_page]
[2812]explorer.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002C01F8 [unknown_code_page]
[2812]explorer.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002C03FC [unknown_code_page]
[2812]explorer.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002C0600 [unknown_code_page]
[2812]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[2812]explorer.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002C1014 [unknown_code_page]
[2812]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[2812]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[2812]explorer.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[2812]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]
[2812]explorer.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[2812]explorer.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[2812]explorer.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[2812]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[2812]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[2812]explorer.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002D0600 [unknown_code_page]
[2812]explorer.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002D0804 [unknown_code_page]
[2812]explorer.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002D01F8 [unknown_code_page]
[2812]explorer.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002D0A08 [unknown_code_page]
[2812]explorer.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002D03FC [unknown_code_page]
[2812]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[2812]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[304]spoolsv.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002B0C0C [unknown_code_page]
[304]spoolsv.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002B0E10 [unknown_code_page]
[304]spoolsv.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002B0804 [unknown_code_page]
[304]spoolsv.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002B0A08 [unknown_code_page]
[304]spoolsv.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002B01F8 [unknown_code_page]
[304]spoolsv.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002B03FC [unknown_code_page]
[304]spoolsv.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002B0600 [unknown_code_page]
[304]spoolsv.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002B1014 [unknown_code_page]
[304]spoolsv.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[304]spoolsv.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[304]spoolsv.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[304]spoolsv.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[304]spoolsv.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002C0600 [unknown_code_page]
[304]spoolsv.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002C0804 [unknown_code_page]
[304]spoolsv.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002C01F8 [unknown_code_page]
[304]spoolsv.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002C0A08 [unknown_code_page]
[304]spoolsv.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002C03FC [unknown_code_page]

Rest in next post, would not fit all in one.

[3060]ViewMgr.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->003A0C0C [unknown_code_page]
[3060]ViewMgr.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->003A0E10 [unknown_code_page]
[3060]ViewMgr.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->003A0804 [unknown_code_page]
[3060]ViewMgr.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->003A0A08 [unknown_code_page]
[3060]ViewMgr.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->003A01F8 [unknown_code_page]
[3060]ViewMgr.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->003A03FC [unknown_code_page]
[3060]ViewMgr.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->003A0600 [unknown_code_page]
[3060]ViewMgr.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->003A1014 [unknown_code_page]
[3060]ViewMgr.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[3060]ViewMgr.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[3060]ViewMgr.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->001401F8 [unknown_code_page]
[3060]ViewMgr.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->001403FC [unknown_code_page]
[3060]ViewMgr.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->00390600 [unknown_code_page]
[3060]ViewMgr.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->00390804 [unknown_code_page]
[3060]ViewMgr.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->003901F8 [unknown_code_page]
[3060]ViewMgr.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->00390A08 [unknown_code_page]
[3060]ViewMgr.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->003903FC [unknown_code_page]
[3348]Apoint.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->00390C0C [unknown_code_page]
[3348]Apoint.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->00390E10 [unknown_code_page]
[3348]Apoint.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->00390804 [unknown_code_page]
[3348]Apoint.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->00390A08 [unknown_code_page]
[3348]Apoint.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->003901F8 [unknown_code_page]
[3348]Apoint.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->003903FC [unknown_code_page]
[3348]Apoint.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->00390600 [unknown_code_page]
[3348]Apoint.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->00391014 [unknown_code_page]
[3348]Apoint.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[3348]Apoint.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[3348]Apoint.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->001401F8 [unknown_code_page]
[3348]Apoint.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->001403FC [unknown_code_page]
[3348]Apoint.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->00380600 [unknown_code_page]
[3348]Apoint.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->00380804 [unknown_code_page]
[3348]Apoint.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->003801F8 [unknown_code_page]
[3348]Apoint.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->00380A08 [unknown_code_page]
[3348]Apoint.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->003803FC [unknown_code_page]
[3368]DSentry.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->00380C0C [unknown_code_page]
[3368]DSentry.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->00380E10 [unknown_code_page]
[3368]DSentry.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->00380804 [unknown_code_page]
[3368]DSentry.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->00380A08 [unknown_code_page]
[3368]DSentry.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->003801F8 [unknown_code_page]
[3368]DSentry.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->003803FC [unknown_code_page]
[3368]DSentry.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->00380600 [unknown_code_page]
[3368]DSentry.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->00381014 [unknown_code_page]
[3368]DSentry.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[3368]DSentry.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[3368]DSentry.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->001401F8 [unknown_code_page]
[3368]DSentry.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->001403FC [unknown_code_page]
[3368]DSentry.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->00390600 [unknown_code_page]
[3368]DSentry.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->00390804 [unknown_code_page]
[3368]DSentry.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->003901F8 [unknown_code_page]
[3368]DSentry.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->00390A08 [unknown_code_page]
[3368]DSentry.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->003903FC [unknown_code_page]
[3428]khost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->003C0C0C [unknown_code_page]
[3428]khost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->003C0E10 [unknown_code_page]
[3428]khost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->003C0804 [unknown_code_page]
[3428]khost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->003C0A08 [unknown_code_page]
[3428]khost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->003C01F8 [unknown_code_page]
[3428]khost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->003C03FC [unknown_code_page]
[3428]khost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->003C0600 [unknown_code_page]
[3428]khost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->003C1014 [unknown_code_page]
[3428]khost.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[3428]khost.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[3428]khost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->001401F8 [unknown_code_page]
[3428]khost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->001403FC [unknown_code_page]
[3428]khost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->003B0600 [unknown_code_page]
[3428]khost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->003B0804 [unknown_code_page]
[3428]khost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->003B01F8 [unknown_code_page]
[3428]khost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->003B0A08 [unknown_code_page]
[3428]khost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->003B03FC [unknown_code_page]
[3596]AvastUI.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[3596]AvastUI.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[3688]ApntEx.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[3688]ApntEx.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[3688]ApntEx.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->001401F8 [unknown_code_page]
[3688]ApntEx.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->001403FC [unknown_code_page]
[3688]ApntEx.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->00380600 [unknown_code_page]
[3688]ApntEx.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->00380804 [unknown_code_page]
[3688]ApntEx.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->003801F8 [unknown_code_page]
[3688]ApntEx.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->00380A08 [unknown_code_page]
[3688]ApntEx.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->003803FC [unknown_code_page]
[3816]jqs.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->00390C0C [unknown_code_page]
[3816]jqs.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->00390E10 [unknown_code_page]
[3816]jqs.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->00390804 [unknown_code_page]
[3816]jqs.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->00390A08 [unknown_code_page]
[3816]jqs.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->003901F8 [unknown_code_page]
[3816]jqs.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->003903FC [unknown_code_page]
[3816]jqs.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->00390600 [unknown_code_page]
[3816]jqs.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->00391014 [unknown_code_page]
[3816]jqs.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[3816]jqs.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[3816]jqs.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->001501F8 [unknown_code_page]
[3816]jqs.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->001503FC [unknown_code_page]
[3816]jqs.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->003A0600 [unknown_code_page]
[3816]jqs.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->003A0804 [unknown_code_page]
[3816]jqs.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->003A01F8 [unknown_code_page]
[3816]jqs.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->003A0A08 [unknown_code_page]
[3816]jqs.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->003A03FC [unknown_code_page]
[500]scardsvr.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002C0C0C [unknown_code_page]
[500]scardsvr.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002C0E10 [unknown_code_page]
[500]scardsvr.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002C0804 [unknown_code_page]
[500]scardsvr.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002C0A08 [unknown_code_page]
[500]scardsvr.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002C01F8 [unknown_code_page]
[500]scardsvr.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002C03FC [unknown_code_page]
[500]scardsvr.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002C0600 [unknown_code_page]
[500]scardsvr.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002C1014 [unknown_code_page]
[500]scardsvr.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[500]scardsvr.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[500]scardsvr.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[500]scardsvr.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[500]scardsvr.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002B0600 [unknown_code_page]
[500]scardsvr.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002B0804 [unknown_code_page]
[500]scardsvr.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002B01F8 [unknown_code_page]
[500]scardsvr.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002B0A08 [unknown_code_page]
[500]scardsvr.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002B03FC [unknown_code_page]
[668]ctfmon.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002C0C0C [unknown_code_page]
[668]ctfmon.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002C0E10 [unknown_code_page]
[668]ctfmon.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002C0804 [unknown_code_page]
[668]ctfmon.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002C0A08 [unknown_code_page]
[668]ctfmon.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002C01F8 [unknown_code_page]
[668]ctfmon.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002C03FC [unknown_code_page]
[668]ctfmon.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002C0600 [unknown_code_page]
[668]ctfmon.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002C1014 [unknown_code_page]
[668]ctfmon.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[668]ctfmon.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[668]ctfmon.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000A01F8 [unknown_code_page]
[668]ctfmon.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000A03FC [unknown_code_page]
[668]ctfmon.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002D0600 [unknown_code_page]
[668]ctfmon.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002D0804 [unknown_code_page]
[668]ctfmon.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002D01F8 [unknown_code_page]
[668]ctfmon.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002D0A08 [unknown_code_page]
[668]ctfmon.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002D03FC [unknown_code_page]
[676]smss.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[732]csrss.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[732]csrss.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[756]winlogon.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002B0C0C [unknown_code_page]
[756]winlogon.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002B0E10 [unknown_code_page]
[756]winlogon.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002B0804 [unknown_code_page]
[756]winlogon.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002B0A08 [unknown_code_page]
[756]winlogon.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002B01F8 [unknown_code_page]
[756]winlogon.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002B03FC [unknown_code_page]
[756]winlogon.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002B0600 [unknown_code_page]
[756]winlogon.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002B1014 [unknown_code_page]
[756]winlogon.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[756]winlogon.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[756]winlogon.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000701F8 [unknown_code_page]
[756]winlogon.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000703FC [unknown_code_page]
[756]winlogon.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002C0600 [unknown_code_page]
[756]winlogon.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002C0804 [unknown_code_page]
[756]winlogon.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002C01F8 [unknown_code_page]
[756]winlogon.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002C0A08 [unknown_code_page]
[756]winlogon.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002C03FC [unknown_code_page]
[800]services.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002B0C0C [unknown_code_page]
[800]services.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002B0E10 [unknown_code_page]
[800]services.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002B0804 [unknown_code_page]
[800]services.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002B0A08 [unknown_code_page]
[800]services.exe-->advapi32.dll-->CreateProcessAsUserW, Type: IAT modification 0x01001094-->005F0002 [unknown_code_page]
[800]services.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002B01F8 [unknown_code_page]
[800]services.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002B03FC [unknown_code_page]
[800]services.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002B0600 [unknown_code_page]
[800]services.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002B1014 [unknown_code_page]
[800]services.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[800]services.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x01001114-->005F0000 [unknown_code_page]
[800]services.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[800]services.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[800]services.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[800]services.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002C0600 [unknown_code_page]
[800]services.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002C0804 [unknown_code_page]
[800]services.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002C01F8 [unknown_code_page]
[800]services.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002C0A08 [unknown_code_page]
[800]services.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002C03FC [unknown_code_page]
[812]lsass.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002B0C0C [unknown_code_page]
[812]lsass.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002B0E10 [unknown_code_page]
[812]lsass.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002B0804 [unknown_code_page]
[812]lsass.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002B0A08 [unknown_code_page]
[812]lsass.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002B01F8 [unknown_code_page]
[812]lsass.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002B03FC [unknown_code_page]
[812]lsass.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002B0600 [unknown_code_page]
[812]lsass.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002B1014 [unknown_code_page]
[812]lsass.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[812]lsass.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[812]lsass.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[812]lsass.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[812]lsass.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002C0600 [unknown_code_page]
[812]lsass.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002C0804 [unknown_code_page]
[812]lsass.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002C01F8 [unknown_code_page]
[812]lsass.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002C0A08 [unknown_code_page]
[812]lsass.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002C03FC [unknown_code_page]
[864]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002B0C0C [unknown_code_page]
[864]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002B0E10 [unknown_code_page]
[864]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002B0804 [unknown_code_page]
[864]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002B0A08 [unknown_code_page]
[864]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002B01F8 [unknown_code_page]
[864]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002B03FC [unknown_code_page]
[864]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002B0600 [unknown_code_page]
[864]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002B1014 [unknown_code_page]
[864]svchost.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[864]svchost.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[864]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[864]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[864]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002C0600 [unknown_code_page]
[864]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002C0804 [unknown_code_page]
[864]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002C01F8 [unknown_code_page]
[864]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002C0A08 [unknown_code_page]
[864]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002C03FC [unknown_code_page]
[980]svchost.exe-->advapi32.dll-->ChangeServiceConfig2A, Type: Inline - RelativeJump 0x77E37101-->002B0C0C [unknown_code_page]
[980]svchost.exe-->advapi32.dll-->ChangeServiceConfig2W, Type: Inline - RelativeJump 0x77E37189-->002B0E10 [unknown_code_page]
[980]svchost.exe-->advapi32.dll-->ChangeServiceConfigA, Type: Inline - RelativeJump 0x77E36E69-->002B0804 [unknown_code_page]
[980]svchost.exe-->advapi32.dll-->ChangeServiceConfigW, Type: Inline - RelativeJump 0x77E37001-->002B0A08 [unknown_code_page]
[980]svchost.exe-->advapi32.dll-->CreateServiceA, Type: Inline - RelativeJump 0x77E37211-->002B01F8 [unknown_code_page]
[980]svchost.exe-->advapi32.dll-->CreateServiceW, Type: Inline - RelativeJump 0x77E373A9-->002B03FC [unknown_code_page]
[980]svchost.exe-->advapi32.dll-->DeleteService, Type: Inline - RelativeJump 0x77E374B1-->002B0600 [unknown_code_page]
[980]svchost.exe-->advapi32.dll-->SetServiceObjectSecurity, Type: Inline - RelativeJump 0x77E36D81-->002B1014 [unknown_code_page]
[980]svchost.exe-->kernel32.dll+0x00068D8C, Type: Code Mismatch 0x7C868D8C + 429452 [62]
[980]svchost.exe-->ntdll.dll+0x00016865, Type: Code Mismatch 0x7C916865 + 92261 [62]
[980]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C91632D-->000901F8 [unknown_code_page]
[980]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x7C9171CD-->000903FC [unknown_code_page]
[980]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x7E431211-->002C0600 [unknown_code_page]
[980]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->002C0804 [unknown_code_page]
[980]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x7E4317F7-->002C01F8 [unknown_code_page]
[980]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->002C0A08 [unknown_code_page]
[980]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7E4318AC-->002C03FC [unknown_code_page]

2.
;***********************************************************************************************************************************************************************************
ANALYSIS: 2011-08-02 19:28:33
PROTECTIONS: 1
MALWARE: 21
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! Antivirus 5.0.100664499 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00020994 W32/Bagle.VZ.worm Virus/Worm No 1 Yes No c:\documents and settings\all users\application data\spybot - search & destroy\recovery\virtumonde.zip
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@trafficmp[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@247realmedia[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@tribalfusion[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@com[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@ad.yieldmanager[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@bs.serving-sys[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@www.burstbeacon[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@adtech[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@server.iad.liveperson[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@ads.pointroll[2].txt
00170549 Cookie/FortuneCity TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@fortunecity[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@realmedia[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@questionmarket[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@go[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@atwola[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No c:\documents and settings\daniel\cookies\daniel@ads.addynamix[1].txt
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\_otm\movedfiles\08012011_203822\c_documents and settings\daniel\application data\sun\java\deployment\cache\6.0\16\40abb910-29db0a55
03919024 Generic Malware Virus/Trojan No 0 Yes No c:\windows\ubisoft\setupubi.exe
;========================================================
SUSPECTS
Sent Location
;========================================================
VULNERABILITIES
Id Severity Description
;========================================================

3.
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Daniel at 19:35:52 on 2011-08-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1212 [GMT -4:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\kdx\KHost.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Games\Firefox\firefox.exe
C:\Games\Firefox\plugin-container.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bbc.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [kdx] c:\windows\kdx\KHost.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [QuickTime Task] "c:\games\quick\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1283659333532
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} - hxxp://www.gamespot.com/KDX/zd/kdx.cab
TCP: DhcpNameServer = 208.33.159.39 71.2.28.14
TCP: Interfaces\{804A7E99-F08A-4061-9A5D-4578AEA20F9C} : DhcpNameServer = 208.33.159.39 71.2.28.14
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\daniel\application data\mozilla\firefox\profiles\tmsh95n6.default\
FF - plugin: c:\documents and settings\daniel\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\daniel\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\games\codec\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\games\codec\divx\divx web player\npdivx32.dll
FF - plugin: c:\games\firefox\plugins\npdeployJava1.dll
FF - plugin: c:\games\quick\plugins\npqtplugin.dll
FF - plugin: c:\games\quick\plugins\npqtplugin2.dll
FF - plugin: c:\games\quick\plugins\npqtplugin3.dll
FF - plugin: c:\games\quick\plugins\npqtplugin4.dll
FF - plugin: c:\games\quick\plugins\npqtplugin5.dll
FF - plugin: c:\games\quick\plugins\npqtplugin6.dll
FF - plugin: c:\games\quick\plugins\npqtplugin7.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-27 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-1-6 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-6 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-25 42184]
R2 gpib420;GPIB Analyzer;c:\windows\system32\drivers\gpib420.sys [2006-2-13 31334]
R2 GpibPrtK;Gpib Port;c:\windows\system32\drivers\GpibPrtK.sys [2006-2-13 199783]
R2 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.dll [2005-7-27 10829]
R2 niarbk;niarbk;c:\windows\system32\drivers\niarbk.dll [2006-7-4 37376]
R2 nibffrk;nibffrk;c:\windows\system32\drivers\nibffrk.dll [2006-7-4 21504]
R2 Nidaq32k;Nidaq32k;c:\windows\system32\drivers\nidaq32k.sys [2006-7-4 674304]
R2 nidimk;nidimk;c:\windows\system32\drivers\nidimk.dll [2006-7-13 159232]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;c:\windows\system32\drivers\nidmmk.dll [2006-7-4 50688]
R2 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfk.dll [2006-7-20 200704]
R2 nidwgk;nidwgk;c:\windows\system32\drivers\nidwgk.dll [2006-7-10 979456]
R2 niemrk;niemrk;c:\windows\system32\drivers\niemrk.dll [2006-7-20 370176]
R2 nifslk;nifslk;c:\windows\system32\drivers\nifslk.dll [2006-7-16 81920]
R2 nigplk;nigplk;c:\windows\system32\drivers\nigplk.dll [2006-2-15 101376]
R2 nihsdrk;nihsdrk;c:\windows\system32\drivers\nihsdrk.dll [2006-7-10 815616]
R2 nimdsk;nimdsk;c:\windows\system32\drivers\nimdsk.dll [2006-7-4 30208]
R2 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpk.dll [2006-7-16 20480]
R2 nipsdk;nipsdk;c:\windows\system32\drivers\nipsdk.dll [2006-7-10 246784]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmk.dll [2006-7-18 71680]
R2 nisldk;nisldk;c:\windows\system32\drivers\nisldk.dll [2006-7-10 395776]
R2 nisrcdk;nisrcdk;c:\windows\system32\drivers\nisrcdk.dll [2006-7-10 965632]
R2 nistck;nistck;c:\windows\system32\drivers\niSTCk.dll [2006-7-4 111616]
R2 niswdk;niswdk;c:\windows\system32\drivers\niswdk.dll [2006-7-16 496640]
R2 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrk.dll [2006-7-20 1746432]
R2 usb6xxxk;usb6xxxk;c:\windows\system32\drivers\usb6xxxk.dll [2006-7-16 19968]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
R3 GTICARD;GTICARD;c:\windows\system32\drivers\gticard.sys [2003-2-14 59328]
R3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrk.dll [2006-7-16 171520]
R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2k.dll [2006-7-13 248832]
R3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrk.dll [2006-7-16 137728]
R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstsk.dll [2006-7-16 51712]
R3 niscdk;niscdk;c:\windows\system32\drivers\niscdk.dll [2006-7-16 506880]
R3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigk.dll [2006-7-16 240128]
R3 nitiork;nitiork;c:\windows\system32\drivers\nitiork.dll [2006-7-16 790528]
S3 37C897B2;37C897B2;c:\windows\system32\37c897b2.exe --> c:\windows\system32\37C897B2.exe [?]
S3 nidsark;nidsark;c:\windows\system32\drivers\nidsark.dll [2006-7-20 648192]
S3 niesrk;niesrk;c:\windows\system32\drivers\niesrk.dll [2006-7-20 500224]
S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [2006-6-5 14464]
S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [2006-6-5 151683]
S3 nipalusb;NI-PAL USB Driver;c:\windows\system32\drivers\nipalusb.sys [2006-7-13 105472]
S3 nisftk;nisftk;c:\windows\system32\drivers\nisftk.dll [2006-7-16 164864]
S3 nismbusk;nismbusk;c:\windows\system32\drivers\nismbusk.sys [2006-7-18 51200]
S3 nispdk;nispdk;c:\windows\system32\drivers\nispdk.dll [2006-7-16 43008]
S3 nissrk;nissrk;c:\windows\system32\drivers\nissrk.dll [2006-7-20 1026560]
S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2k.dll [2006-6-6 163328]
S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrk.dll [2006-7-16 111616]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWK.sys [2006-7-14 8704]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciK.sys [2006-7-14 48128]
S3 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiK.sys [2006-7-14 10752]
S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrk.dll [2006-7-20 434688]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S4 nidevldu;nidevldu;system32\nipalsm.exe --> system32\nipalsm.exe [?]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-08-02 12:02:03 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-08-02 12:01:42 -------- d-----w- c:\program files\Panda Security
2011-08-02 04:47:26 -------- d-----w- c:\documents and settings\daniel\local settings\application data\Temp
2011-08-02 00:38:22 -------- d-----w- C:\_OTM
2011-08-01 06:00:53 -------- d-----w- c:\program files\ESET
.
==================== Find3M ====================
.
2011-07-23 06:41:38 319 ----a-w- C:\drmHeader.bin
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-04 11:43:53 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:36:43 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-06-18 04:16:13 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 19:36:54.05 ===============

4. Other then the first time the firewall got turned off, no I have not noticed any other/more symptoms. Did you see anything that may have been causing problems?

Hello Dongo :),

The logs look OK. The detections from the online scan include backups of the earlier fixes and some cookies that are not harmful, whereas the last entry is a false positive.

You should uninstall or disable the Adobe Reader 9 plugin in Firefox.

--------------------

Congratulations, you are All Clear to go. Glad to hear everything is good and running :). If you have any more problems, please let me know.

Now we need to clear out the programs we have been using to clean up your computer. They are not suitable for general malware removal and could cause damage if used inappropriately.

Run OTM by double clicking on OTM.exe. Click on CleanUp, proceed to reboot if prompted.
Delete the CKScanner, aswMBR, RogueKiller and Rootkit Unhooker files on your desktop.
Delete any logs on the desktop.

Some tips to help you stay clean and safe:

1. Keep your Windows up to date. Enable Automatic Updates for Windows XP (http://www.bleepingcomputer.com/tutorials/tutorial35.html) to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

2. Purge System Restore, for this one time only. A recovery feature will only be useful if it is clean from malwares. See Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html) for some detail explanations.

3. Update your Antivirus program regularly, it is a must for constant protection against viruses. Please keep only one AV installed.

4. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool (http://www.malwarebytes.org/mbam.php), totally free but for real-time protection you will have to pay a small one-time fee.

5. Install WinPatrol, a great protection program (http://www.winpatrol.com/) that helps you monitor for unwanted files or applications. If you choose this, please uninstall Spybot.

6. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts (http://www.mvps.org/winhelp2002/hosts.htm) for this purpose.

7. Install Web of Trust (WOT). WOT (http://www.mywot.com/) keeps you from dangerous websites with warnings and blockings.

8. Protect your computer from removable or USB drive infections with Panda USB Vaccine (http://www.pandasecurity.com/homeusers/downloads/usbvaccine/), an effective method to prevent malware from spreading.

9. Keep all your softwares updated. Visit Secunia Software Inspector (http://secunia.com/software_inspector/) to find out if any updates required.

10. Also look up:
Computer Security - a short guide to staying safer online (http://www.malwareremoval.com/forum/viewtopic.php?f=4&t=54766)
PC Safety and Security - What Do I Need? By Glaswegian (http://www.techsupportforum.com/security-center/general-computer-security/525915-pc-safety-security-what-do-i-need.html)
How to prevent malware: By miekiemoes (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html)
So how did I get infected in the first place? By Tony Klein (http://forums.spybot.info/showthread.php?t=279)
Microsoft Online Safety (http://www.microsoft.com/protect/default.aspx)

Stay safe.

Your donation helps in improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)

Hello Jack&Jill,

Thanks for your help so far. I have a question and a problem. First, I can't find Adobe Reader 9 plugin in Firefox. I went to Tools > Add Ons > Plugins, but don't see it.

Second while attempting to use windows update site to search for updates I get the following error: [Error number: 0x80070424] The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.

My windows update is turned off and I can't turn it on. (It has been off all this time since the infection shut it off, sorry I failed to mention this). I found some potential solutions on google for this but I will wait to see what you say before attempting anything.

Hello Dongo :),

No problem and you are welcome.

Please look around the Firefox Add-Ons area, if you confirm cannot find the plugin, please delete this: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll.

To fix Windows Update, please visit the following Microsoft support page and click on the Fix It button.

How do I reset Windows Update components? (http://support.microsoft.com/kb/971058)

See if this works.

As your problems appear to have been resolved, this topic is now closed.

We are glad to be of help. If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps in improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)