Jump to content

How to remove/repairs infected dll kernels when no scans reveals errors

faq

By faq
in Resolved Malware Removal Logs

 Share

Recommended Posts

faq

faq

Posted
Posted

Good morning/evening
I've read many posts here and elsewhere, installed the required/suggested programs and finally thought it would be wise to add my problem to the pile :s

It's been a while since the computer is kind of slow, I installed all the updates, windows, java, flash, the malware byte rootkit remover and malware remover, super anti spyware, changed comodo for zone alaram, and now I'm having spyware cease/Avg /adva canced system care, GMER (so far the only one that actually recognizes something and allows me to kill process but they pop randomly) and I know what false positives are, etc,registry cleaners...

...the thing is, all of a sudden Korean and Mandarin characters are popping in GMEr and I've never seen them before. It's brutally annoying, I work for a japanese-owned company and wonder if it's not industrial spying. I'm in North America, with lots of co workers from Asia and this could also be a possibility. It's very frustrating as I did all the search for the corrupt csrss.exe file and obviously won't find it. I'd join screen shots so you can see, some repeating threads but mostly program jacking. 
 
I also used panda cloud scanner/rogue killer/ kapersky/eset all to no avail/real result it seems they only look for english characters and they did remove a few PUP and adware but nothing serious. I Tried moving everything to another user (that I just created) and before I report this to my employer as a serious issue I'd like to have some Idea ( are there apps I can use to track the origin of the sender so I can show those smart asses a lesson? This has been burning lots of time I'M working as you all are I suppose and a part time student as well.

*update:I've been working with computers for a while so don'T worry and suggest me a straight up solution. The regedit won'T detect the csrss.exe file but the virus keeps emulating it along with .32 processes. I also noticed that gmer mentions a windows without capital w but the other times it has it.Ask for the logs if you'd like but they show nothing. 0, zilch, nada. I guess I could try to ''search for the chinese character meaning'' if it can bepost-194618-0-81068300-1446068919_thumb.post-194618-0-86535600-1446068954_thumb.backdoor stuff.txtproblemz.txtRkill.txtshiiiiiiiiit.txt tracked from the photo. I've only seen those kinds of post a few times and I don't mean to be racist but I studied in cyber criminology and was told asian script kiddies&seasonal criminals are fond of unweary american cyber surfer's funds. Thanks in advance!

Link to post
Share on other sites
faq

faq

Posted
  • Author
Posted

This could be a serious issue, I'm not a super rich person but I'm making more than my coworkers who could be jealous/thinking of seeding my computer I tried deleting my actual user in windows 8 but it didn'T work, the other new user only had guest features even if I gave it full administrator. I also have a partitioned hard drive I was planning on installing linux but never did. Could malicious programs use this (dead) memory space, my processor, and my RAM to infect with bot nets? I have a clean ''task manager'' and other interfaces are ok too. I am in America now but travelled in Asia once with that computer in the past and I brought another one too. But I'm back and there are no reasons that this should happen unless someone is actively trying to jack in my files. I never noticed any stolen information but those added spices are making my computer time unliveable. Thank you.

Link to post
Share on other sites
faq

faq

Posted
  • Author
Posted

and just for the record, I'm not going on adult websites and the only time Io do financial transactions is with paypal. Definintely not the type of person who will enter his credit card information on a site that will make me a sitting duck after. I don't even go and watch free content from overseas and I'm not some elder age citizen with a loaded wallet visiting places of ill repute. So I'm definitely thinking this has to do with spying because the surrounding businesses are obviously competing with this one, the connection is almost public, the password probably hasn't been changed and many people from throughout the world use it for their personal needs. Thought I'd tell. Now please and thank you, have a nice day and I appreciate any suggestions. 10-4

Link to post
Share on other sites
faq

faq

Posted
  • Author
Posted

I need help with my files, please. For some reason Gmer is the only one that detects intrusion, everything else (including detection program) is passing by unharmed unless it is linked to a ''pup''.
Running a copy legit of windows 8, I download a bit here and there but I'm not a heavy surfer.

I don't want to reformat, are there any solutions? I tried even Trojan remover and unhack me nothing works to remove the problems (which I guess are rootkits, worms and trojans)

Thanks in advance

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-10-28 10:54:38
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000039 WDC_WD7500BPVX-22JC3T0 rev.01.01A01 698.64GB
Running: gmer.exe; Driver: C:\Temp\uxtiqpog.sys


---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                        unknown MBR code

---- Threads - GMER 2.1 ----

Thread  C:\Windows\system32\csrss.exe [596:624]      fffff960008ad5e8
Thread  C:\Windows\system32\svchost.exe [900:3860]   000007fde01410f0
Thread  C:\Windows\system32\svchost.exe [900:5388]   000007fde4555c38
Thread  C:\Windows\System32\spoolsv.exe [1536:4736]  000007fde66e54c0
Thread  C:\Windows\System32\spoolsv.exe [1536:4740]  000007fde66c30ec
Thread  C:\Windows\System32\spoolsv.exe [1536:4768]  000007fdde2b5798
Thread  C:\Windows\System32\spoolsv.exe [1536:4776]  000007fdde2fd29c
Thread  C:\Windows\system32\svchost.exe [2728:2832]  000007fde66e54c0
Thread  C:\Windows\system32\svchost.exe [2728:472]   000007fde66c30ec

---- EOF - GMER 2.1 ----


GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-10-29 08:29:39
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000038 WDC_WD7500BPVX-22JC3T0 rev.01.01A01 698.64GB
Running: healer.exe; Driver: C:\Temp\uxtiqpog.sys


---- Kernel code sections - GMER 2.1 ----

.text  C:\Windows\System32\win32k.sys!W32pServiceTable                                                      fffff96000132b00 1 byte [00]
.text  C:\Windows\System32\win32k.sys!W32pServiceTable + 2                                                  fffff96000132b02 5 bytes [7E, 01, 00, 58, F2]

---- User code sections - GMER 2.1 ----

.text  C:\Windows\system32\atiesrxx.exe[496] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306   000007f8c20e177a 4 bytes [0E, C2, F8, 07]
.text  C:\Windows\system32\atiesrxx.exe[496] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314   000007f8c20e1782 4 bytes [0E, C2, F8, 07]
.text  C:\Windows\system32\dwm.exe[844] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                  000007f8bcff1532 4 bytes [FF, BC, F8, 07]
.text  C:\Windows\system32\dwm.exe[844] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                  000007f8bcff153a 4 bytes [FF, BC, F8, 07]
.text  C:\Windows\system32\dwm.exe[844] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                000007f8bcff165a 4 bytes [FF, BC, F8, 07]
.text  C:\Windows\system32\atieclxx.exe[1164] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306  000007f8c20e177a 4 bytes [0E, C2, F8, 07]
.text  C:\Windows\system32\atieclxx.exe[1164] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314  000007f8c20e1782 4 bytes [0E, C2, F8, 07]


GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-10-29 08:44:28
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000038 WDC_WD7500BPVX-22JC3T0 rev.01.01A01 698,64GB
Running: healer.exe; Driver: C:\Temp\uxtiqpog.sys


---- Kernel code sections - GMER 2.1 ----

.text   C:\Windows\System32\win32k.sys!W32pServiceTable                                                                                fffff96000132b00 1 byte [00]
.text   C:\Windows\System32\win32k.sys!W32pServiceTable + 2                                                                            fffff96000132b02 5 bytes [7E, 01, 00, 58, F2]

---- User code sections - GMER 2.1 ----

.text   C:\Windows\system32\atiesrxx.exe[496] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                             000007f8c20e177a 4 bytes [0E, C2, F8, 07]
.text   C:\Windows\system32\atiesrxx.exe[496] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                             000007f8c20e1782 4 bytes [0E, C2, F8, 07]
.text   C:\Windows\system32\dwm.exe[844] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                            000007f8bcff1532 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\system32\dwm.exe[844] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                            000007f8bcff153a 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\system32\dwm.exe[844] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                          000007f8bcff165a 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\system32\atieclxx.exe[1164] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                            000007f8c20e177a 4 bytes [0E, C2, F8, 07]
.text   C:\Windows\system32\atieclxx.exe[1164] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                            000007f8c20e1782 4 bytes [0E, C2, F8, 07]
.text   C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1076] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306             000007f8c20e177a 4 bytes [0E, C2, F8, 07]
.text   C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1076] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314             000007f8c20e1782 4 bytes [0E, C2, F8, 07]
.text   C:\Windows\system32\wbem\wmiprvse.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                   000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Windows\system32\wbem\wmiprvse.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Windows\system32\wbem\wmiprvse.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                        000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Windows\system32\wbem\wmiprvse.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                       000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Windows\system32\wbem\wmiprvse.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                    000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Windows\system32\wbem\wmiprvse.exe[4012] C:\Windows\system32\KERNELBASE.dll!ResumeThread                                    000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Windows\system32\wbem\wmiprvse.exe[4012] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                          000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Windows\System32\svchost.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                         000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Windows\System32\svchost.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                       000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Windows\System32\svchost.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                              000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Windows\System32\svchost.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                             000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Windows\System32\svchost.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                          000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Windows\System32\svchost.exe[4260] C:\Windows\system32\KERNELBASE.dll!ResumeThread                                          000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Windows\System32\svchost.exe[4260] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                                000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                         000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                       000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                              000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                             000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                          000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Windows\system32\svchost.exe[4448] C:\Windows\system32\KERNELBASE.dll!ResumeThread                                          000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Windows\system32\svchost.exe[4448] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                                000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Windows\system32\wbem\unsecapp.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                   000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Windows\system32\wbem\unsecapp.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Windows\system32\wbem\unsecapp.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                        000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Windows\system32\wbem\unsecapp.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                       000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Windows\system32\wbem\unsecapp.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                    000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Windows\system32\wbem\unsecapp.exe[4612] C:\Windows\system32\KERNELBASE.dll!ResumeThread                                    000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Windows\system32\wbem\unsecapp.exe[4612] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                          000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Windows\system32\SearchIndexer.exe[5832] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                   000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Windows\system32\SearchIndexer.exe[5832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Windows\system32\SearchIndexer.exe[5832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                        000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Windows\system32\SearchIndexer.exe[5832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                       000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Windows\system32\SearchIndexer.exe[5832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                    000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Windows\system32\SearchIndexer.exe[5832] C:\Windows\system32\KERNELBASE.dll!ResumeThread                                    000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Windows\system32\SearchIndexer.exe[5832] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                          000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                      000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                    000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                           000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                          000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                       000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Windows\system32\taskhostex.exe[4172] C:\Windows\system32\KERNELBASE.dll!ResumeThread                                       000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Windows\system32\taskhostex.exe[4172] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                             000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                    000007f8bcff1532 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                    000007f8bcff153a 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                  000007f8bcff165a 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                   000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                        000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                       000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                    000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\system32\KERNELBASE.dll!ResumeThread                                    000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                          000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                 000007f8bcff1532 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                 000007f8bcff153a 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                               000007f8bcff165a 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                  000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                       000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                      000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                   000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\system32\KERNELBASE.dll!ResumeThread                                   000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                         000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                000007f8bcff1532 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                000007f8bcff153a 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                              000007f8bcff165a 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                                 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                               000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                                      000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                                     000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                                  000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Windows\Explorer.EXE[5944] C:\Windows\system32\KERNELBASE.dll!ResumeThread                                                  000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Windows\Explorer.EXE[5944] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                                        000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 690                                               000007f8bcff1532 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 698                                               000007f8bcff153a 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\msimg32.dll!TransparentBlt + 246                                             000007f8bcff165a 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                             000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                           000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                  000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                              000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\system32\KERNELBASE.dll!ResumeThread                              000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                    000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                           000007f8bcff1532 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                           000007f8bcff153a 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                         000007f8bcff165a 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                         000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                       000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                              000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                             000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                          000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\system32\KERNELBASE.dll!ResumeThread                                          000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                                000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                             000007f8c20e177a 4 bytes [0E, C2, F8, 07]
.text   C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                             000007f8c20e1782 4 bytes [0E, C2, F8, 07]
.text   C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                       000007f8bcff1532 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                       000007f8bcff153a 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                     000007f8bcff165a 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection           000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory         000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant               000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore            000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\system32\KERNELBASE.dll!ResumeThread            000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW  000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 690         000007f8bcff1532 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 698         000007f8bcff153a 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\msimg32.dll!TransparentBlt + 246       000007f8bcff165a 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                         000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                       000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                              000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                             000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                          000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\system32\KERNELBASE.dll!ResumeThread                          000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                       000007f8bcff1532 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                       000007f8bcff153a 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                     000007f8bcff165a 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                  000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                       000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                      000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                   000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2332] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306      000007f8c20e177a 4 bytes [0E, C2, F8, 07]
.text   C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2332] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314      000007f8c20e1782 4 bytes [0E, C2, F8, 07]
.text   C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection               000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory             000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                    000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                   000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\system32\KERNELBASE.dll!ResumeThread                000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW      000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306   000007f8c20e177a 4 bytes [0E, C2, F8, 07]
.text   C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314   000007f8c20e1782 4 bytes [0E, C2, F8, 07]
.text   C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                   000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                        000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                       000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                    000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\system32\KERNELBASE.dll!ResumeThread                                    000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                          000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                 000007f8bcff1532 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                 000007f8bcff153a 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                               000007f8bcff165a 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection             000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory           000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                  000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore              000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\system32\KERNELBASE.dll!ResumeThread              000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW    000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690           000007f8bcff1532 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698           000007f8bcff153a 4 bytes [FF, BC, F8, 07]
.text   C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246         000007f8bcff165a 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\System32\RuntimeBroker.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                   000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Windows\System32\RuntimeBroker.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Windows\System32\RuntimeBroker.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                        000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Windows\System32\RuntimeBroker.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                       000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Windows\System32\RuntimeBroker.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                    000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Windows\System32\RuntimeBroker.exe[1616] C:\Windows\system32\KERNELBASE.dll!ResumeThread                                    000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Windows\System32\RuntimeBroker.exe[1616] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                          000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                       000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                     000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                            000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                           000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                        000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Windows\system32\taskhost.exe[11996] C:\Windows\system32\KERNELBASE.dll!ResumeThread                                        000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Windows\system32\taskhost.exe[11996] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                              000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                     000007f8bcff1532 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                     000007f8bcff153a 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                   000007f8bcff165a 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection                                        000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00
.text   C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory                                      000007f8c42f2f00 5 bytes JMP 000007f9b69c1810
.text   C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent                                             000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090
.text   C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant                                            000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0
.text   C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore                                         000007f8c42f3651 5 bytes JMP 000007f9b69c2150
.text   C:\Windows\system32\taskeng.exe[13728] C:\Windows\system32\KERNELBASE.dll!ResumeThread                                         000007f8c1566560 5 bytes JMP 000007f9b69c1f50
.text   C:\Windows\system32\taskeng.exe[13728] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW                               000007f8c156b970 5 bytes JMP 000007f9b69c19c0
.text   C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                      000007f8bcff1532 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                      000007f8bcff153a 4 bytes [FF, BC, F8, 07]
.text   C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                    000007f8bcff165a 4 bytes [FF, BC, F8, 07]

---- Threads - GMER 2.1 ----

Thread  C:\Windows\system32\csrss.exe [648:672]                                                                                        fffff9600099e5e8

---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                                                                                                          unknown MBR code

---- EOF - GMER 2.1 ----
 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello and welcome,

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Those GMER logs are clean, what exactly do you think is wrong?

 

Next,

 

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.

            'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.



To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…




If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.

  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....


Next,
 
Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
    (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Let me see those logs,

 

Kevin..
 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.