|
-
June 13th, 2012, 07:17 AM
#4
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 10D 82CBF890 4 Bytes [F8, 6D, 72, 90] {CLC ; INSD ; JB 0xffffffffffffff94}
.text ntkrnlpa.exe!KeSetEvent + 131 82CBF8B4 4 Bytes [5A, 3A, DB, 90] {POP EDX; CMP BL, BL; NOP }
.text ntkrnlpa.exe!KeSetEvent + 191 82CBF914 4 Bytes JMP F544579B
.text ntkrnlpa.exe!KeSetEvent + 1D1 82CBF954 16 Bytes [E4, C2, 72, 90, 30, C3, 72, ...] {IN AL, 0xc2; JB 0xffffffffffffff94; XOR BL, AL; JB 0xffffffffffffff98; XCHG [EBP-0x36], AH; NOP ; AND AL, AH; JB 0xffffffffffffffa0}
.text ntkrnlpa.exe!KeSetEvent + 1E9 82CBF96C 4 Bytes JMP CC7E9282
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82DEA633 5 Bytes JMP 90DC6C8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 82E43573 5 Bytes JMP 90DC874C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82E4CE98 4 Bytes CALL 907281B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82E50B0C 4 Bytes CALL 907281CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8F404360, 0x35BF98, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[12] ntdll.dll!LdrLoadDll 77499378 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[12] ntdll.dll!LdrUnloadDll 774AB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[12] ntdll.dll!NtAccessCheckByType 774D3EB4 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\svchost.exe[12] ntdll.dll!NtAlpcImpersonateClientOfPort 774D4084 5 Bytes JMP 20CB8DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\svchost.exe[12] ntdll.dll!NtImpersonateClientOfPort 774D4854 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\svchost.exe[12] ntdll.dll!NtSetInformationProcess 774D5194 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\svchost.exe[12] kernel32.dll!OpenProcess 76EA7487 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\svchost.exe[12] kernel32.dll!GetBinaryTypeW + 70 76EB2467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!ImpersonateNamedPipeClient 76F53A48 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!SetThreadToken 76F68E21 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!CreateServiceW 76F89EB4 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!DeleteService 76F8A07E 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!SetServiceObjectSecurity 76FC6CD9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!ChangeServiceConfigA 76FC6DD9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!ChangeServiceConfigW 76FC6F81 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!ChangeServiceConfig2A 76FC7099 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!ChangeServiceConfig2W 76FC71E1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[12] ADVAPI32.dll!CreateServiceA 76FC72A1 5 Bytes JMP 000701F8
.text C:\Windows\system32\svchost.exe[12] USER32.dll!SetWindowsHookExA 76B66322 5 Bytes JMP 00190600
.text C:\Windows\system32\svchost.exe[12] USER32.dll!SetWindowsHookExW 76B687AD 5 Bytes JMP 00190804
.text C:\Windows\system32\svchost.exe[12] USER32.dll!UnhookWindowsHookEx 76B698DB 5 Bytes JMP 00190A08
.text C:\Windows\system32\svchost.exe[12] USER32.dll!FindWindowA 76B69D76 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\svchost.exe[12] USER32.dll!SetWinEventHook 76B69F3A 5 Bytes JMP 001901F8
.text C:\Windows\system32\svchost.exe[12] USER32.dll!UnhookWinEvent 76B6C06F 5 Bytes JMP 001903FC
.text C:\Windows\system32\svchost.exe[12] USER32.dll!FindWindowW 76B7A441 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] ntdll.dll!LdrLoadDll 77499378 5 Bytes JMP 001501F8
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] ntdll.dll!LdrUnloadDll 774AB680 5 Bytes JMP 001503FC
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] kernel32.dll!OpenProcess 76EA7487 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] kernel32.dll!GetBinaryTypeW + 70 76EB2467 1 Byte [62]
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] ADVAPI32.dll!CreateServiceW 76F89EB4 5 Bytes JMP 001703FC
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] ADVAPI32.dll!DeleteService 76F8A07E 5 Bytes JMP 00170600
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] ADVAPI32.dll!SetServiceObjectSecurity 76FC6CD9 5 Bytes JMP 00171014
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] ADVAPI32.dll!ChangeServiceConfigA 76FC6DD9 5 Bytes JMP 00170804
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] ADVAPI32.dll!ChangeServiceConfigW 76FC6F81 5 Bytes JMP 00170A08
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] ADVAPI32.dll!ChangeServiceConfig2A 76FC7099 5 Bytes JMP 00170C0C
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] ADVAPI32.dll!ChangeServiceConfig2W 76FC71E1 5 Bytes JMP 00170E10
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] ADVAPI32.dll!CreateServiceA 76FC72A1 5 Bytes JMP 001701F8
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] USER32.dll!SetWindowsHookExA 76B66322 5 Bytes JMP 00180600
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] USER32.dll!SetWindowsHookExW 76B687AD 5 Bytes JMP 00180804
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] USER32.dll!IsWindowUnicode + 37 76B690B5 5 Bytes JMP 20CB9270 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] USER32.dll!UnhookWindowsHookEx 76B698DB 5 Bytes JMP 00180A08
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] USER32.dll!SetWinEventHook 76B69F3A 5 Bytes JMP 001801F8
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[200] USER32.dll!UnhookWinEvent 76B6C06F 5 Bytes JMP 001803FC
.text C:\Windows\System32\spoolsv.exe[644] ntdll.dll!LdrLoadDll 77499378 5 Bytes JMP 000501F8
.text C:\Windows\System32\spoolsv.exe[644] ntdll.dll!LdrUnloadDll 774AB680 5 Bytes JMP 000503FC
.text C:\Windows\System32\spoolsv.exe[644] ntdll.dll!NtAccessCheckByType 774D3EB4 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\System32\spoolsv.exe[644] ntdll.dll!NtAlpcImpersonateClientOfPort 774D4084 5 Bytes JMP 20CB8DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\System32\spoolsv.exe[644] ntdll.dll!NtImpersonateClientOfPort 774D4854 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\System32\spoolsv.exe[644] ntdll.dll!NtSetInformationProcess 774D5194 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\System32\spoolsv.exe[644] kernel32.dll!OpenProcess 76EA7487 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\System32\spoolsv.exe[644] kernel32.dll!GetBinaryTypeW + 70 76EB2467 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[644] ADVAPI32.dll!ImpersonateNamedPipeClient 76F53A48 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\System32\spoolsv.exe[644] ADVAPI32.dll!SetThreadToken 76F68E21 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\System32\spoolsv.exe[644] ADVAPI32.dll!CreateServiceW 76F89EB4 5 Bytes JMP 000703FC
.text C:\Windows\System32\spoolsv.exe[644] ADVAPI32.dll!DeleteService 76F8A07E 5 Bytes JMP 00070600
.text C:\Windows\System32\spoolsv.exe[644] ADVAPI32.dll!SetServiceObjectSecurity 76FC6CD9 5 Bytes JMP 00071014
.text C:\Windows\System32\spoolsv.exe[644] ADVAPI32.dll!ChangeServiceConfigA 76FC6DD9 5 Bytes JMP 00070804
.text C:\Windows\System32\spoolsv.exe[644] ADVAPI32.dll!ChangeServiceConfigW 76FC6F81 5 Bytes JMP 00070A08
.text C:\Windows\System32\spoolsv.exe[644] ADVAPI32.dll!ChangeServiceConfig2A 76FC7099 5 Bytes JMP 00070C0C
.text C:\Windows\System32\spoolsv.exe[644] ADVAPI32.dll!ChangeServiceConfig2W 76FC71E1 5 Bytes JMP 00070E10
.text C:\Windows\System32\spoolsv.exe[644] ADVAPI32.dll!CreateServiceA 76FC72A1 5 Bytes JMP 000701F8
.text C:\Windows\System32\spoolsv.exe[644] USER32.dll!SetWindowsHookExA 76B66322 5 Bytes JMP 000D0600
.text C:\Windows\System32\spoolsv.exe[644] USER32.dll!SetWindowsHookExW 76B687AD 5 Bytes JMP 000D0804
.text C:\Windows\System32\spoolsv.exe[644] USER32.dll!UnhookWindowsHookEx 76B698DB 5 Bytes JMP 000D0A08
.text C:\Windows\System32\spoolsv.exe[644] USER32.dll!FindWindowA 76B69D76 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\System32\spoolsv.exe[644] USER32.dll!SetWinEventHook 76B69F3A 5 Bytes JMP 000D01F8
.text C:\Windows\System32\spoolsv.exe[644] USER32.dll!UnhookWinEvent 76B6C06F 5 Bytes JMP 000D03FC
.text C:\Windows\System32\spoolsv.exe[644] USER32.dll!FindWindowW 76B7A441 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\csrss.exe[672] KERNEL32.dll!GetBinaryTypeW + 70 76EB2467 1 Byte [62]
.text C:\Windows\system32\wininit.exe[728] ntdll.dll!LdrLoadDll 77499378 5 Bytes JMP 000301F8
.text C:\Windows\system32\wininit.exe[728] ntdll.dll!LdrUnloadDll 774AB680 5 Bytes JMP 000303FC
.text C:\Windows\system32\wininit.exe[728] ntdll.dll!NtAccessCheckByType 774D3EB4 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\wininit.exe[728] ntdll.dll!NtAlpcImpersonateClientOfPort 774D4084 5 Bytes JMP 20CB8DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\wininit.exe[728] ntdll.dll!NtImpersonateClientOfPort 774D4854 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\wininit.exe[728] ntdll.dll!NtSetInformationProcess 774D5194 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\wininit.exe[728] kernel32.dll!OpenProcess 76EA7487 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\wininit.exe[728] kernel32.dll!GetBinaryTypeW + 70 76EB2467 1 Byte [62]
.text C:\Windows\system32\wininit.exe[728] ADVAPI32.dll!ImpersonateNamedPipeClient 76F53A48 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\wininit.exe[728] ADVAPI32.dll!SetThreadToken 76F68E21 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\wininit.exe[728] ADVAPI32.dll!CreateServiceW 76F89EB4 5 Bytes JMP 000603FC
.text C:\Windows\system32\wininit.exe[728] ADVAPI32.dll!DeleteService 76F8A07E 5 Bytes JMP 00060600
.text C:\Windows\system32\wininit.exe[728] ADVAPI32.dll!SetServiceObjectSecurity 76FC6CD9 5 Bytes JMP 00061014
.text C:\Windows\system32\wininit.exe[728] ADVAPI32.dll!ChangeServiceConfigA 76FC6DD9 5 Bytes JMP 00060804
.text C:\Windows\system32\wininit.exe[728] ADVAPI32.dll!ChangeServiceConfigW 76FC6F81 5 Bytes JMP 00060A08
.text C:\Windows\system32\wininit.exe[728] ADVAPI32.dll!ChangeServiceConfig2A 76FC7099 5 Bytes JMP 00060C0C
.text C:\Windows\system32\wininit.exe[728] ADVAPI32.dll!ChangeServiceConfig2W 76FC71E1 5 Bytes JMP 00060E10
.text C:\Windows\system32\wininit.exe[728] ADVAPI32.dll!CreateServiceA 76FC72A1 5 Bytes JMP 000601F8
.text C:\Windows\system32\wininit.exe[728] USER32.dll!SetWindowsHookExA 76B66322 5 Bytes JMP 00070600
.text C:\Windows\system32\wininit.exe[728] USER32.dll!SetWindowsHookExW 76B687AD 5 Bytes JMP 00070804
.text C:\Windows\system32\wininit.exe[728] USER32.dll!UnhookWindowsHookEx 76B698DB 5 Bytes JMP 00070A08
.text C:\Windows\system32\wininit.exe[728] USER32.dll!FindWindowA 76B69D76 5 Bytes JMP 20CB828F C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\wininit.exe[728] USER32.dll!SetWinEventHook 76B69F3A 5 Bytes JMP 000701F8
.text C:\Windows\system32\wininit.exe[728] USER32.dll!UnhookWinEvent 76B6C06F 5 Bytes JMP 000703FC
.text C:\Windows\system32\wininit.exe[728] USER32.dll!FindWindowW 76B7A441 5 Bytes JMP 20CB825A C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\csrss.exe[740] KERNEL32.dll!GetBinaryTypeW + 70 76EB2467 1 Byte [62]
.text C:\Windows\system32\services.exe[772] ntdll.dll!LdrLoadDll 77499378 5 Bytes JMP 000501F8
.text C:\Windows\system32\services.exe[772] ntdll.dll!LdrUnloadDll 774AB680 5 Bytes JMP 000503FC
.text C:\Windows\system32\services.exe[772] ntdll.dll!NtAccessCheckByType 774D3EB4 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\services.exe[772] ntdll.dll!NtAlpcImpersonateClientOfPort 774D4084 5 Bytes JMP 20CB8DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\services.exe[772] ntdll.dll!NtImpersonateClientOfPort 774D4854 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\services.exe[772] ntdll.dll!NtSetInformationProcess 774D5194 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
.text C:\Windows\system32\services.exe[772] kernel32.dll!OpenProcess 76EA7487 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm Browser Security/Check Point Software Technologies)
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
