GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-11-08 22:04:23 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HDT722516DLA380 rev.V43OA80A Running: r3gf4d3h.exe; Driver: C:\Users\mama\AppData\Local\Temp\kwtdypow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8F44C374] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8F14D2B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8F44E996] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8F44E9EE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8F44EB04] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8F44E8EC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8F44EA3E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8F44E940] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8F44EAB2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8F44C398] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8F14D368] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8F44C162] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8F44C3BC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8F44EEFC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8F44CE54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8F44E9C6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8F44EA16] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8F44EB2E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8F44E918] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8F44EA7E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8F44E96E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8F44EADC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8F14D400] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8F44CD1A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8F44C3E0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8F44C404] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8F44C1BC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8F44C2F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8F44C2D4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8F44C31C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8F44C428] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8F1629A6] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 82C3E349 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C77D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82C7ED80 4 Bytes [74, C3, 44, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82C7EDA8 4 Bytes [B8, D2, 14, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82C7EE5C 8 Bytes [96, E9, 44, 8F, EE, E9, 44, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82C7EE68 4 Bytes [04, EB, 44, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82C7EE84 4 Bytes CALL 98697DCD .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82E0BBE8 5 Bytes JMP 8F15E3DE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 82E241B8 5 Bytes JMP 8F15FE9C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82E392FF 4 Bytes CALL 8F44D4C5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82E530D1 4 Bytes CALL 8F44D4DB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82EDCF10 7 Bytes JMP 8F1629AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text user32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes [E9, 0A, 5C, 56, 89] {JMP 0xffffffff89565c0f} .text user32.dll!UnhookWinEvent 76CAB750 5 Bytes [E9, A7, 4C, 56, 89] {JMP 0xffffffff89564cac} .text user32.dll!SetWindowsHookExW 76CAE30C 5 Bytes [E9, F3, 24, 56, 89] {JMP 0xffffffff895624f8} .text user32.dll!SetWinEventHook 76CB24DC 5 Bytes [E9, 17, DD, 55, 89] {JMP 0xffffffff8955dd1c} .text user32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes [E9, EF, 98, 53, 89] {JMP 0xffffffff895398f4} .text kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\csrss.exe[444] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[456] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[456] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[456] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[456] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00210A08 .text C:\Windows\system32\svchost.exe[456] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 002103FC .text C:\Windows\system32\svchost.exe[456] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00210804 .text C:\Windows\system32\svchost.exe[456] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 002101F8 .text C:\Windows\system32\svchost.exe[456] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00210600 .text C:\Windows\system32\wininit.exe[504] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000703FC .text C:\Windows\system32\wininit.exe[504] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000701F8 .text C:\Windows\system32\wininit.exe[504] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[504] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00200A08 .text C:\Windows\system32\wininit.exe[504] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 002003FC .text C:\Windows\system32\wininit.exe[504] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00200804 .text C:\Windows\system32\wininit.exe[504] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 002001F8 .text C:\Windows\system32\wininit.exe[504] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00200600 .text C:\Windows\system32\services.exe[552] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\services.exe[552] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\services.exe[552] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\lsass.exe[576] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\lsass.exe[576] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsass.exe[576] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\lsm.exe[584] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\lsm.exe[584] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsm.exe[584] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[724] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[724] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[724] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[724] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00D00A08 .text C:\Windows\system32\svchost.exe[724] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 00D003FC .text C:\Windows\system32\svchost.exe[724] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00D00804 .text C:\Windows\system32\svchost.exe[724] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 00D001F8 .text C:\Windows\system32\svchost.exe[724] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00D00600 .text C:\Windows\system32\svchost.exe[816] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[816] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[816] user32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00360A08 .text C:\Windows\system32\svchost.exe[816] user32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 003603FC .text C:\Windows\system32\svchost.exe[816] user32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00360804 .text C:\Windows\system32\svchost.exe[816] user32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 003601F8 .text C:\Windows\system32\svchost.exe[816] user32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00360600 .text C:\Windows\System32\svchost.exe[872] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000A03FC .text C:\Windows\System32\svchost.exe[872] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000A01F8 .text C:\Windows\System32\svchost.exe[872] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[872] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00400A08 .text C:\Windows\System32\svchost.exe[872] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 004003FC .text C:\Windows\System32\svchost.exe[872] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00400804 .text C:\Windows\System32\svchost.exe[872] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 004001F8 .text C:\Windows\System32\svchost.exe[872] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00400600 .text C:\Windows\System32\svchost.exe[944] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[944] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[944] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[944] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00950A08 .text C:\Windows\System32\svchost.exe[944] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 009503FC .text C:\Windows\System32\svchost.exe[944] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00950804 .text C:\Windows\System32\svchost.exe[944] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 009501F8 .text C:\Windows\System32\svchost.exe[944] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00950600 .text C:\Windows\system32\svchost.exe[992] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[992] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[992] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[992] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00BD0A08 .text C:\Windows\system32\svchost.exe[992] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 00BD03FC .text C:\Windows\system32\svchost.exe[992] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00BD0804 .text C:\Windows\system32\svchost.exe[992] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 00BD01F8 .text C:\Windows\system32\svchost.exe[992] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00BD0600 .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[1180] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1180] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 009E0A08 .text C:\Windows\system32\svchost.exe[1180] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 009E03FC .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 009E0804 .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 009E01F8 .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 009E0600 .text C:\Windows\system32\svchost.exe[1292] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1292] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1292] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1292] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 003C0A08 .text C:\Windows\system32\svchost.exe[1292] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 003C03FC .text C:\Windows\system32\svchost.exe[1292] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 003C0804 .text C:\Windows\system32\svchost.exe[1292] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 003C01F8 .text C:\Windows\system32\svchost.exe[1292] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 003C0600 .text C:\Windows\system32\svchost.exe[1344] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1344] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1344] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1344] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00980A08 .text C:\Windows\system32\svchost.exe[1344] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 009803FC .text C:\Windows\system32\svchost.exe[1344] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00980804 .text C:\Windows\system32\svchost.exe[1344] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 009801F8 .text C:\Windows\system32\svchost.exe[1344] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00980600 .text C:\Windows\System32\svchost.exe[1404] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[1404] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[1404] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1444] kernel32.dll!SetUnhandledExceptionFilter 76ACF4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1444] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1460] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1520] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000A03FC .text C:\Windows\system32\svchost.exe[1520] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000A01F8 .text C:\Windows\system32\svchost.exe[1520] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1520] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00E50A08 .text C:\Windows\system32\svchost.exe[1520] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 00E503FC .text C:\Windows\system32\svchost.exe[1520] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00E50804 .text C:\Windows\system32\svchost.exe[1520] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 00E501F8 .text C:\Windows\system32\svchost.exe[1520] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00E50600 .text C:\Windows\System32\svchost.exe[1828] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000A03FC .text C:\Windows\System32\svchost.exe[1828] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000A01F8 .text C:\Windows\System32\svchost.exe[1828] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[1832] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[1832] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[1832] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[1832] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 000C0A08 .text C:\Windows\system32\winlogon.exe[1832] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 000C03FC .text C:\Windows\system32\winlogon.exe[1832] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 000C0804 .text C:\Windows\system32\winlogon.exe[1832] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 000C01F8 .text C:\Windows\system32\winlogon.exe[1832] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 000C0600 .text C:\Windows\system32\svchost.exe[1868] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1868] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1868] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[2012] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\System32\spoolsv.exe[2012] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\System32\spoolsv.exe[2012] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[2012] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00090A08 .text C:\Windows\System32\spoolsv.exe[2012] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 000903FC .text C:\Windows\System32\spoolsv.exe[2012] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00090804 .text C:\Windows\System32\spoolsv.exe[2012] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 000901F8 .text C:\Windows\System32\spoolsv.exe[2012] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00090600 .text C:\Windows\system32\svchost.exe[2244] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2244] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2244] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2244] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00330A08 .text C:\Windows\system32\svchost.exe[2244] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 003303FC .text C:\Windows\system32\svchost.exe[2244] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00330804 .text C:\Windows\system32\svchost.exe[2244] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 003301F8 .text C:\Windows\system32\svchost.exe[2244] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00330600 .text C:\Windows\system32\WUDFHost.exe[2436] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\WUDFHost.exe[2436] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\WUDFHost.exe[2436] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\WUDFHost.exe[2436] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\WUDFHost.exe[2436] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 001003FC .text C:\Windows\system32\WUDFHost.exe[2436] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00100804 .text C:\Windows\system32\WUDFHost.exe[2436] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\WUDFHost.exe[2436] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00100600 .text C:\Windows\System32\svchost.exe[2616] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[2616] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[2616] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[2616] user32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00200A08 .text C:\Windows\System32\svchost.exe[2616] user32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 002003FC .text C:\Windows\System32\svchost.exe[2616] user32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00200804 .text C:\Windows\System32\svchost.exe[2616] user32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 002001F8 .text C:\Windows\System32\svchost.exe[2616] user32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00200600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2668] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2668] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2668] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2668] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2668] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 001003FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2668] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00100804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2668] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 001001F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2668] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\csrss.exe[2820] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3688] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3688] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3688] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3688] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00090A08 .text C:\Windows\system32\SearchIndexer.exe[3688] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 000903FC .text C:\Windows\system32\SearchIndexer.exe[3688] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00090804 .text C:\Windows\system32\SearchIndexer.exe[3688] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 000901F8 .text C:\Windows\system32\SearchIndexer.exe[3688] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00090600 .text C:\Windows\System32\svchost.exe[4068] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000A03FC .text C:\Windows\System32\svchost.exe[4068] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000A01F8 .text C:\Windows\System32\svchost.exe[4068] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[5084] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Program Files\Windows Sidebar\sidebar.exe[5084] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[5084] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[5084] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 000E0A08 .text C:\Program Files\Windows Sidebar\sidebar.exe[5084] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 000E03FC .text C:\Program Files\Windows Sidebar\sidebar.exe[5084] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 000E0804 .text C:\Program Files\Windows Sidebar\sidebar.exe[5084] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 000E01F8 .text C:\Program Files\Windows Sidebar\sidebar.exe[5084] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 000E0600 .text C:\Windows\System32\svchost.exe[5176] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[5176] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[5176] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[5176] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 001C0A08 .text C:\Windows\System32\svchost.exe[5176] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 001C03FC .text C:\Windows\System32\svchost.exe[5176] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 001C0804 .text C:\Windows\System32\svchost.exe[5176] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 001C01F8 .text C:\Windows\System32\svchost.exe[5176] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 001C0600 .text C:\Windows\system32\AUDIODG.EXE[5232] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Users\mama\Desktop\Repair\OTH.exe[5408] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 001603FC .text C:\Users\mama\Desktop\Repair\OTH.exe[5408] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 001601F8 .text C:\Users\mama\Desktop\Repair\OTH.exe[5408] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[5640] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Windows\system32\Dwm.exe[5640] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Windows\system32\Dwm.exe[5640] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[5640] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 000F0A08 .text C:\Windows\system32\Dwm.exe[5640] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 000F03FC .text C:\Windows\system32\Dwm.exe[5640] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 000F0804 .text C:\Windows\system32\Dwm.exe[5640] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 000F01F8 .text C:\Windows\system32\Dwm.exe[5640] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 000F0600 .text C:\Users\mama\Desktop\Repair\r3gf4d3h.exe[5692] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 001603FC .text C:\Users\mama\Desktop\Repair\r3gf4d3h.exe[5692] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 001601F8 .text C:\Users\mama\Desktop\Repair\r3gf4d3h.exe[5692] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Users\mama\Desktop\Repair\r3gf4d3h.exe[5692] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00210A08 .text C:\Users\mama\Desktop\Repair\r3gf4d3h.exe[5692] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 002103FC .text C:\Users\mama\Desktop\Repair\r3gf4d3h.exe[5692] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00210804 .text C:\Users\mama\Desktop\Repair\r3gf4d3h.exe[5692] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 002101F8 .text C:\Users\mama\Desktop\Repair\r3gf4d3h.exe[5692] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00210600 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5944] ntdll.dll!LdrUnloadDll 77A1C8DE 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5944] ntdll.dll!LdrLoadDll 77A222B8 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5944] kernel32.dll!GetBinaryTypeW + 70 76AE69F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5944] USER32.dll!UnhookWindowsHookEx 76CAADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5944] USER32.dll!UnhookWinEvent 76CAB750 5 Bytes JMP 001003FC .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5944] USER32.dll!SetWindowsHookExW 76CAE30C 5 Bytes JMP 00100804 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5944] USER32.dll!SetWinEventHook 76CB24DC 5 Bytes JMP 001001F8 .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[5944] USER32.dll!SetWindowsHookExA 76CD6D0C 5 Bytes JMP 00100600 ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000046 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- EOF - GMER 1.0.15 ----