GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-08-30 15:53:26 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HDT722516DLA380 rev.V43OA80A Running: whtynjtf.exe; Driver: C:\Users\mama\AppData\Local\Temp\kxldypow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8F447202] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8FB16D8C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8F4497F0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8F449848] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8F44995E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8F449746] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8F449898] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8F44979A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8F44990C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8F447226] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8FB16E3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8F446FF0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8F44724A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8F449D56] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8F447CDA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8F449820] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8F449870] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8F449988] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8F449772] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8F4498D8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8F4497C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8F449936] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8FB16ED4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8F447BA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8F44726E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8F447292] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8F44704A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8F447186] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8F447162] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8F4471AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8F4472B6] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8FB2C398] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 82C77349 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CB0D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82CB7D80 4 Bytes [02, 72, 44, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82CB7DA8 4 Bytes [8C, 6D, B1, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82CB7E5C 8 Bytes [F0, 97, 44, 8F, 48, 98, 44, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82CB7E68 4 Bytes CALL C764DCEF .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82CB7E84 4 Bytes [46, 97, 44, 8F] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82E44BE8 5 Bytes JMP 8FB27D4C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 82E5D1B8 5 Bytes JMP 8FB2980A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82E722FF 4 Bytes CALL 8F44834B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82E8C0D1 4 Bytes CALL 8F448361 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82F15F10 7 Bytes JMP 8FB2C39C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text autochk.exe 002411D1 5 Bytes [FE, 1B, 69, 18, D4] .text autochk.exe 002411D7 4 Bytes [0C, B6, 01, 03] {OR AL, 0xb6; ADD [EBX], EAX} .text autochk.exe 002411DC 3 Bytes [0E, 01, 03] {PUSH CS; ADD [EBX], EAX} .text autochk.exe 002411E2 2 Bytes [01, 50] .text autochk.exe 002411EC 2 Bytes [E2, 04] {LOOP 0x6} .text ... .text kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[108] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[108] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[108] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[108] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00550A08 .text C:\Windows\system32\svchost.exe[108] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 005503FC .text C:\Windows\system32\svchost.exe[108] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00550804 .text C:\Windows\system32\svchost.exe[108] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 005501F8 .text C:\Windows\system32\svchost.exe[108] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00550600 .text C:\Windows\system32\svchost.exe[352] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[352] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[352] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[352] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 004A0A08 .text C:\Windows\system32\svchost.exe[352] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 004A03FC .text C:\Windows\system32\svchost.exe[352] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 004A0804 .text C:\Windows\system32\svchost.exe[352] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 004A01F8 .text C:\Windows\system32\svchost.exe[352] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 004A0600 .text C:\Windows\System32\svchost.exe[432] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[432] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[432] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[436] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[496] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000303FC .text C:\Windows\system32\wininit.exe[496] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000301F8 .text C:\Windows\system32\wininit.exe[496] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[496] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00110A08 .text C:\Windows\system32\wininit.exe[496] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 001103FC .text C:\Windows\system32\wininit.exe[496] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00110804 .text C:\Windows\system32\wininit.exe[496] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 001101F8 .text C:\Windows\system32\wininit.exe[496] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00110600 .text C:\Windows\system32\csrss.exe[508] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\services.exe[544] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\services.exe[544] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\services.exe[544] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\lsass.exe[568] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\lsass.exe[568] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsass.exe[568] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[572] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\Dwm.exe[572] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\Dwm.exe[572] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[572] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 000F0A08 .text C:\Windows\system32\Dwm.exe[572] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 000F03FC .text C:\Windows\system32\Dwm.exe[572] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 000F0804 .text C:\Windows\system32\Dwm.exe[572] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 000F01F8 .text C:\Windows\system32\Dwm.exe[572] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 000F0600 .text C:\Windows\system32\lsm.exe[576] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\lsm.exe[576] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsm.exe[576] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[632] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[632] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[632] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[632] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\winlogon.exe[632] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 001003FC .text C:\Windows\system32\winlogon.exe[632] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00100804 .text C:\Windows\system32\winlogon.exe[632] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\winlogon.exe[632] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\svchost.exe[716] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[716] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[716] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[716] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00290A08 .text C:\Windows\system32\svchost.exe[716] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 002903FC .text C:\Windows\system32\svchost.exe[716] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00290804 .text C:\Windows\system32\svchost.exe[716] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 002901F8 .text C:\Windows\system32\svchost.exe[716] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00290600 .text C:\Windows\system32\svchost.exe[804] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[804] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[804] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[804] user32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00220A08 .text C:\Windows\system32\svchost.exe[804] user32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 002203FC .text C:\Windows\system32\svchost.exe[804] user32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00220804 .text C:\Windows\system32\svchost.exe[804] user32.dll!SetWinEventHook 779424DC 5 Bytes JMP 002201F8 .text C:\Windows\system32\svchost.exe[804] user32.dll!SetWindowsHookExA 77966D0C 3 Bytes JMP 00220600 .text C:\Windows\system32\svchost.exe[804] user32.dll!SetWindowsHookExA + 4 77966D10 1 Byte [88] .text C:\Windows\System32\svchost.exe[868] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[868] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[868] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[868] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 003E0A08 .text C:\Windows\System32\svchost.exe[868] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 003E03FC .text C:\Windows\System32\svchost.exe[868] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 003E0804 .text C:\Windows\System32\svchost.exe[868] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 003E01F8 .text C:\Windows\System32\svchost.exe[868] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 003E0600 .text C:\Windows\System32\svchost.exe[932] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[932] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[932] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[932] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00960A08 .text C:\Windows\System32\svchost.exe[932] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 009603FC .text C:\Windows\System32\svchost.exe[932] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00960804 .text C:\Windows\System32\svchost.exe[932] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 009601F8 .text C:\Windows\System32\svchost.exe[932] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00960600 .text C:\Program Files\Opera\opera.exe[952] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[984] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[984] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[984] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[984] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00EB0A08 .text C:\Windows\system32\svchost.exe[984] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 00EB03FC .text C:\Windows\system32\svchost.exe[984] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00EB0804 .text C:\Windows\system32\svchost.exe[984] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 00EB01F8 .text C:\Windows\system32\svchost.exe[984] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00EB0600 .text C:\Windows\system32\svchost.exe[1176] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[1176] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[1176] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1176] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00450A08 .text C:\Windows\system32\svchost.exe[1176] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 004503FC .text C:\Windows\system32\svchost.exe[1176] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00450804 .text C:\Windows\system32\svchost.exe[1176] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 004501F8 .text C:\Windows\system32\svchost.exe[1176] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00450600 .text C:\Windows\System32\svchost.exe[1228] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[1228] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[1228] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1368] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1368] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1368] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1432] kernel32.dll!SetUnhandledExceptionFilter 77C0F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1432] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1748] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\System32\spoolsv.exe[1748] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\System32\spoolsv.exe[1748] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1748] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00100A08 .text C:\Windows\System32\spoolsv.exe[1748] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 001003FC .text C:\Windows\System32\spoolsv.exe[1748] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00100804 .text C:\Windows\System32\spoolsv.exe[1748] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 001001F8 .text C:\Windows\System32\spoolsv.exe[1748] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\svchost.exe[1804] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1804] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1804] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1804] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00140A08 .text C:\Windows\system32\svchost.exe[1804] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 001403FC .text C:\Windows\system32\svchost.exe[1804] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00140804 .text C:\Windows\system32\svchost.exe[1804] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 001401F8 .text C:\Windows\system32\svchost.exe[1804] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00140600 .text C:\Windows\system32\svchost.exe[2280] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[2280] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[2280] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2280] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00330A08 .text C:\Windows\system32\svchost.exe[2280] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 003303FC .text C:\Windows\system32\svchost.exe[2280] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00330804 .text C:\Windows\system32\svchost.exe[2280] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 003301F8 .text C:\Windows\system32\svchost.exe[2280] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00330600 .text C:\Windows\system32\WUDFHost.exe[2420] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\WUDFHost.exe[2420] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\WUDFHost.exe[2420] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\WUDFHost.exe[2420] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\WUDFHost.exe[2420] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 001003FC .text C:\Windows\system32\WUDFHost.exe[2420] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00100804 .text C:\Windows\system32\WUDFHost.exe[2420] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\WUDFHost.exe[2420] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00100600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2900] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Users\mama\Desktop\Repair\OTH.exe[3008] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 001603FC .text C:\Users\mama\Desktop\Repair\OTH.exe[3008] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 001601F8 .text C:\Users\mama\Desktop\Repair\OTH.exe[3008] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Users\mama\Desktop\Repair\OTH.exe[3008] user32.DLL!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 048D0A08 .text C:\Users\mama\Desktop\Repair\OTH.exe[3008] user32.DLL!UnhookWinEvent 7793B750 5 Bytes JMP 048D03FC .text C:\Users\mama\Desktop\Repair\OTH.exe[3008] user32.DLL!SetWindowsHookExW 7793E30C 5 Bytes JMP 048D0804 .text C:\Users\mama\Desktop\Repair\OTH.exe[3008] user32.DLL!SetWinEventHook 779424DC 5 Bytes JMP 048D01F8 .text C:\Users\mama\Desktop\Repair\OTH.exe[3008] user32.DLL!SetWindowsHookExA 77966D0C 5 Bytes JMP 048D0600 .text C:\Program Files\Windows Sidebar\sidebar.exe[3112] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Program Files\Windows Sidebar\sidebar.exe[3112] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3112] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3112] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00110A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[3112] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 001103FC .text C:\Program Files\Windows Sidebar\sidebar.exe[3112] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00110804 .text C:\Program Files\Windows Sidebar\sidebar.exe[3112] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 001101F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[3112] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00110600 .text C:\Windows\System32\svchost.exe[3360] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[3360] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[3360] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[3360] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00150A08 .text C:\Windows\System32\svchost.exe[3360] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 001503FC .text C:\Windows\System32\svchost.exe[3360] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00150804 .text C:\Windows\System32\svchost.exe[3360] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 001501F8 .text C:\Windows\System32\svchost.exe[3360] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00150600 .text C:\Users\mama\Desktop\Repair\whtynjtf.exe[3712] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3732] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3732] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3732] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3732] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\SearchIndexer.exe[3732] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 001003FC .text C:\Windows\system32\SearchIndexer.exe[3732] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00100804 .text C:\Windows\system32\SearchIndexer.exe[3732] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\SearchIndexer.exe[3732] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\AUDIODG.EXE[3768] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3816] ntdll.dll!LdrUnloadDll 77CFC8DE 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3816] ntdll.dll!LdrLoadDll 77D022B8 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3816] kernel32.dll!GetBinaryTypeW + 70 77C269F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3816] USER32.dll!UnhookWindowsHookEx 7793ADF9 5 Bytes JMP 00110A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3816] USER32.dll!UnhookWinEvent 7793B750 5 Bytes JMP 001103FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3816] USER32.dll!SetWindowsHookExW 7793E30C 5 Bytes JMP 00110804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3816] USER32.dll!SetWinEventHook 779424DC 5 Bytes JMP 001101F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3816] USER32.dll!SetWindowsHookExA 77966D0C 5 Bytes JMP 00110600 ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000046 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- EOF - GMER 1.0.15 ----