GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-06 18:52:01 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST3500413AS rev.JC45 Running: zkm7xyd5.exe; Driver: C:\Users\Kowal\AppData\Local\Temp\fxldqfog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x91C1ADC4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x926C3904] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x91C1B832] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x91C2025C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x91C202A8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x91C2039A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x91C201CA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x91C202EC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x91C20212] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x91C20354] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x91C1AE10] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x926C39DE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x91C1AAA2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x91C1AE5C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x91C1DC94] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x91C1BAD6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x91C20286] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x91C202CA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x91C203BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x91C201F0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x91C20326] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x91C2023A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x91C20378] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x926C3B4A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x91C1B9A2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x91C1AEA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x91C1AEF4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x91C1AB12] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x91C1ACB6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x91C1AC5E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x91C1AD26] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x926C3C0A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x91C1AF40] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x926C3A8A] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x926D9A72] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 8327C369 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832B5D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 832BCD80 4 Bytes [C4, AD, C1, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 832BCDA8 4 Bytes [04, 39, 6C, 92] {ADD AL, 0x39; INSB ; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 832BCE08 4 Bytes [32, B8, C1, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 832BCE5C 8 Bytes [5C, 02, C2, 91, A8, 02, C2, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 832BCE68 4 Bytes [9A, 03, C2, 91] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83449BE8 5 Bytes JMP 926D696C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 834621D0 5 Bytes JMP 926D8444 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 83477317 4 Bytes CALL 91C1C189 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 834910E9 4 Bytes CALL 91C1C19F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 8351AF30 7 Bytes JMP 926D9A76 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92E0B000, 0x3C12C5, 0xE8000020] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9F539300, 0x3B6D8, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9F57C300, 0x1BEE, 0xE8000020] ? C:\Windows\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! ? C:\Users\Kowal\AppData\Local\Temp\catchme.sys Nie można odnaleźć określonego pliku. ! .text kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\System32\alg.exe[376] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\alg.exe[376] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\alg.exe[376] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\System32\alg.exe[376] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 00110A08 .text C:\Windows\System32\alg.exe[376] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 001103FC .text C:\Windows\System32\alg.exe[376] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 00110804 .text C:\Windows\System32\alg.exe[376] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 001101F8 .text C:\Windows\System32\alg.exe[376] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 00110600 .text C:\Windows\system32\csrss.exe[480] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[560] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000303FC .text C:\Windows\system32\wininit.exe[560] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\wininit.exe[560] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[560] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\wininit.exe[560] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 001003FC .text C:\Windows\system32\wininit.exe[560] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 00100804 .text C:\Windows\system32\wininit.exe[560] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\wininit.exe[560] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\csrss.exe[568] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\services.exe[608] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\services.exe[608] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\services.exe[608] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[652] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000303FC .text C:\Windows\system32\winlogon.exe[652] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000301F8 .text C:\Windows\system32\winlogon.exe[652] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[652] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 000C0A08 .text C:\Windows\system32\winlogon.exe[652] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 000C03FC .text C:\Windows\system32\winlogon.exe[652] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 000C0804 .text C:\Windows\system32\winlogon.exe[652] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 000C01F8 .text C:\Windows\system32\winlogon.exe[652] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 000C0600 .text C:\Windows\system32\lsass.exe[680] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000A03FC .text C:\Windows\system32\lsass.exe[680] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000A01F8 .text C:\Windows\system32\lsass.exe[680] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\lsass.exe[680] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 00040A08 .text C:\Windows\system32\lsass.exe[680] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 000403FC .text C:\Windows\system32\lsass.exe[680] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 00040804 .text C:\Windows\system32\lsass.exe[680] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 000401F8 .text C:\Windows\system32\lsass.exe[680] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 00040600 .text C:\Windows\system32\lsm.exe[688] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\lsm.exe[688] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\lsm.exe[688] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[784] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[784] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[784] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[872] KERNEL32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[880] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[880] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\atiesrxx.exe[944] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 001603FC .text C:\Windows\system32\atiesrxx.exe[944] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 001601F8 .text C:\Windows\system32\atiesrxx.exe[944] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\atiesrxx.exe[944] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 001F0A08 .text C:\Windows\system32\atiesrxx.exe[944] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 001F03FC .text C:\Windows\system32\atiesrxx.exe[944] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 001F0804 .text C:\Windows\system32\atiesrxx.exe[944] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 001F01F8 .text C:\Windows\system32\atiesrxx.exe[944] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 001F0600 .text C:\Windows\System32\svchost.exe[1004] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[1004] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[1004] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[1004] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 008F0A08 .text C:\Windows\System32\svchost.exe[1004] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 008F03FC .text C:\Windows\System32\svchost.exe[1004] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 008F0804 .text C:\Windows\System32\svchost.exe[1004] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 008F01F8 .text C:\Windows\System32\svchost.exe[1004] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 008F0600 .text C:\Windows\System32\svchost.exe[1040] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[1040] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[1040] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[1040] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 00950A08 .text C:\Windows\System32\svchost.exe[1040] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 009503FC .text C:\Windows\System32\svchost.exe[1040] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 00950804 .text C:\Windows\System32\svchost.exe[1040] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 009501F8 .text C:\Windows\System32\svchost.exe[1040] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 00950600 .text C:\Windows\system32\svchost.exe[1096] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1096] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1096] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1096] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 00B80A08 .text C:\Windows\system32\svchost.exe[1096] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 00B803FC .text C:\Windows\system32\svchost.exe[1096] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 00B80804 .text C:\Windows\system32\svchost.exe[1096] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 00B801F8 .text C:\Windows\system32\svchost.exe[1096] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 00B80600 .text C:\Windows\system32\svchost.exe[1232] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1232] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1232] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1232] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 00A20A08 .text C:\Windows\system32\svchost.exe[1232] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 00A203FC .text C:\Windows\system32\svchost.exe[1232] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 00A20804 .text C:\Windows\system32\svchost.exe[1232] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 00A201F8 .text C:\Windows\system32\svchost.exe[1232] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 00A20600 .text C:\Windows\system32\svchost.exe[1324] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1324] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1324] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1324] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 005A0A08 .text C:\Windows\system32\svchost.exe[1324] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 005A03FC .text C:\Windows\system32\svchost.exe[1324] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 005A0804 .text C:\Windows\system32\svchost.exe[1324] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 005A01F8 .text C:\Windows\system32\svchost.exe[1324] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 005A0600 .text C:\Windows\system32\atieclxx.exe[1420] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 001603FC .text C:\Windows\system32\atieclxx.exe[1420] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 001601F8 .text C:\Windows\system32\atieclxx.exe[1420] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\atieclxx.exe[1420] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 002F0A08 .text C:\Windows\system32\atieclxx.exe[1420] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 002F03FC .text C:\Windows\system32\atieclxx.exe[1420] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 002F0804 .text C:\Windows\system32\atieclxx.exe[1420] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 002F01F8 .text C:\Windows\system32\atieclxx.exe[1420] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 002F0600 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1432] kernel32.dll!SetUnhandledExceptionFilter 7582F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1432] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1568] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\spoolsv.exe[1568] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\spoolsv.exe[1568] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1568] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 00150A08 .text C:\Windows\System32\spoolsv.exe[1568] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 001503FC .text C:\Windows\System32\spoolsv.exe[1568] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 00150804 .text C:\Windows\System32\spoolsv.exe[1568] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 001501F8 .text C:\Windows\System32\spoolsv.exe[1568] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 00150600 .text C:\Windows\system32\svchost.exe[1600] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1600] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1600] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1600] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 00190A08 .text C:\Windows\system32\svchost.exe[1600] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 001903FC .text C:\Windows\system32\svchost.exe[1600] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 00190804 .text C:\Windows\system32\svchost.exe[1600] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 001901F8 .text C:\Windows\system32\svchost.exe[1600] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 00190600 .text C:\Windows\system32\svchost.exe[1712] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1712] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1712] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1712] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 00560A08 .text C:\Windows\system32\svchost.exe[1712] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 005603FC .text C:\Windows\system32\svchost.exe[1712] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 00560804 .text C:\Windows\system32\svchost.exe[1712] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 005601F8 .text C:\Windows\system32\svchost.exe[1712] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 00560600 .text C:\Windows\system32\PnkBstrA.exe[1736] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 001503FC .text C:\Windows\system32\PnkBstrA.exe[1736] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 001501F8 .text C:\Windows\system32\PnkBstrA.exe[1736] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\PnkBstrA.exe[1736] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 001E0A08 .text C:\Windows\system32\PnkBstrA.exe[1736] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 001E03FC .text C:\Windows\system32\PnkBstrA.exe[1736] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 001E0804 .text C:\Windows\system32\PnkBstrA.exe[1736] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 001E01F8 .text C:\Windows\system32\PnkBstrA.exe[1736] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 001E0600 .text C:\Program Files\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[1792] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 001603FC .text C:\Program Files\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[1792] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 001601F8 .text C:\Program Files\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[1792] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Program Files\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[1792] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[1792] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 001F03FC .text C:\Program Files\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[1792] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 001F0804 .text C:\Program Files\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[1792] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 001F01F8 .text C:\Program Files\GIGABYTE\Smart6\Timelock\TimeMgmtDaemon.exe[1792] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 001F0600 .text C:\Windows\system32\svchost.exe[1832] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[1832] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[1832] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Program Files\GIGABYTE\Smart6\Timelock\AlarmClock.exe[2192] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 001603FC .text C:\Program Files\GIGABYTE\Smart6\Timelock\AlarmClock.exe[2192] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 001601F8 .text C:\Program Files\GIGABYTE\Smart6\Timelock\AlarmClock.exe[2192] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Program Files\GIGABYTE\Smart6\Timelock\AlarmClock.exe[2192] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 002F0A08 .text C:\Program Files\GIGABYTE\Smart6\Timelock\AlarmClock.exe[2192] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 002F03FC .text C:\Program Files\GIGABYTE\Smart6\Timelock\AlarmClock.exe[2192] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 002F0804 .text C:\Program Files\GIGABYTE\Smart6\Timelock\AlarmClock.exe[2192] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 002F01F8 .text C:\Program Files\GIGABYTE\Smart6\Timelock\AlarmClock.exe[2192] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 002F0600 .text C:\Windows\system32\Dwm.exe[2332] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\Dwm.exe[2332] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\Dwm.exe[2332] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[2332] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 000F0A08 .text C:\Windows\system32\Dwm.exe[2332] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 000F03FC .text C:\Windows\system32\Dwm.exe[2332] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 000F0804 .text C:\Windows\system32\Dwm.exe[2332] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 000F01F8 .text C:\Windows\system32\Dwm.exe[2332] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 000F0600 .text C:\Windows\notepad.exe[2472] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[2476] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000503FC .text C:\Windows\system32\taskhost.exe[2476] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskhost.exe[2476] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[2476] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskhost.exe[2476] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 000703FC .text C:\Windows\system32\taskhost.exe[2476] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 00070804 .text C:\Windows\system32\taskhost.exe[2476] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskhost.exe[2476] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 00070600 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3312] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3312] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3312] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3312] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 00140A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3312] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 001403FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3312] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 00140804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3312] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 001401F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3312] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 00140600 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3384] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 001603FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3384] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 001601F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3384] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3384] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 00200A08 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3384] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 002003FC .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3384] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 00200804 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3384] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 002001F8 .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3384] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 00200600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3392] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3616] KERNEL32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3716] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3716] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3716] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3716] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 00100A08 .text C:\Windows\system32\SearchIndexer.exe[3716] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 001003FC .text C:\Windows\system32\SearchIndexer.exe[3716] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 00100804 .text C:\Windows\system32\SearchIndexer.exe[3716] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 001001F8 .text C:\Windows\system32\SearchIndexer.exe[3716] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 00100600 .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3828] KERNEL32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\SearchProtocolHost.exe[4104] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\explorer.exe[4268] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\AUDIODG.EXE[4440] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Program Files\Skype\Phone\Skype.exe[4944] ntdll.dll!LdrUnloadDll 76E0C86E 5 Bytes JMP 001603FC .text C:\Program Files\Skype\Phone\Skype.exe[4944] ntdll.dll!LdrLoadDll 76E1223E 5 Bytes JMP 001601F8 .text C:\Program Files\Skype\Phone\Skype.exe[4944] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Program Files\Skype\Phone\Skype.exe[4944] USER32.dll!UnhookWindowsHookEx 755FADF9 5 Bytes JMP 00310A08 .text C:\Program Files\Skype\Phone\Skype.exe[4944] USER32.dll!UnhookWinEvent 755FB750 5 Bytes JMP 003103FC .text C:\Program Files\Skype\Phone\Skype.exe[4944] USER32.dll!SetWindowsHookExW 755FE30C 5 Bytes JMP 00310804 .text C:\Program Files\Skype\Phone\Skype.exe[4944] USER32.dll!SetWinEventHook 756024DC 5 Bytes JMP 003101F8 .text C:\Program Files\Skype\Phone\Skype.exe[4944] USER32.dll!SetWindowsHookExA 75626D0C 5 Bytes JMP 00310600 .text C:\Users\Kowal\Downloads\zkm7xyd5.exe[5476] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] .text C:\Windows\system32\SearchFilterHost.exe[5576] kernel32.dll!GetBinaryTypeW + 70 758469F4 1 Byte [62] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1432] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [72B5F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[3392] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [72B5F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \Driver\ACPI_HAL \Device\00000054 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 2611 ---- EOF - GMER 1.0.15 ----