GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-09-04 21:39:17 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HM160HI rev.HH100-06 Running: gmer.exe; Driver: C:\Users\Jacek\AppData\Local\Temp\kwddykog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8A020536] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8A8B27BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8A020F52] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8A02BD7A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8A02BDC6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8A02BF48] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8A02BCE8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8A8B2BAC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8A02BD30] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8A021146] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8A0212CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8A02BF02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8A0218CA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8A020584] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8A8B289E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8A0201EC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8A0205D2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8A0252A8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8A022292] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8A02BDA4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8A02BDE8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8A02BF6C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8A02BD0E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8A02BE8C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8A02BD58] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8A02BF26] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8A8B2A1E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8A02215E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x8A021E9A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8A020620] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8A02066E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8A02174A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8A020276] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8A020426] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8A0203CC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8A021A2C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8A021B88] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8A020496] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8A8B2AE8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8A0215CA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8A0206BC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8A8B2954] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8A8CA744] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82083599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 820A7F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 214 820AF724 4 Bytes [36, 05, 02, 8A] .text ntkrnlpa.exe!RtlSidHashLookup + 23C 820AF74C 4 Bytes [BA, 27, 8B, 8A] .text ntkrnlpa.exe!RtlSidHashLookup + 29C 820AF7AC 4 Bytes [52, 0F, 02, 8A] .text ntkrnlpa.exe!RtlSidHashLookup + 2F0 820AF800 8 Bytes [7A, BD, 02, 8A, C6, BD, 02, ...] {JP 0xffffffffffffffbf; ADD CL, [EDX-0x75fd423a]} .text ntkrnlpa.exe!RtlSidHashLookup + 2FC 820AF80C 4 Bytes [48, BF, 02, 8A] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82248FBF 5 Bytes JMP 8A8C761C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 82262CF3 5 Bytes JMP 8A8C9116 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 822AD17A 4 Bytes CALL 8A022959 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 822B5255 4 Bytes CALL 8A02296F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 8231AEAC 7 Bytes JMP 8A8CA748 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\csrss.exe[420] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\taskeng.exe[436] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\wininit.exe[472] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\csrss.exe[484] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\winlogon.exe[532] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text ... .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 000603FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 000601F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] USER32.dll!UnhookWindowsHookEx 77B4CC7B 5 Bytes JMP 00140A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] USER32.dll!UnhookWinEvent 77B4D924 5 Bytes JMP 001403FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] USER32.dll!SetWindowsHookExW 77B5210A 5 Bytes JMP 00140804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] USER32.dll!SetWinEventHook 77B5507E 5 Bytes JMP 001401F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[1024] USER32.dll!SetWindowsHookExA 77B76DFA 5 Bytes JMP 00140600 .text C:\Windows\system32\AUDIODG.EXE[1076] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\svchost.exe[1124] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\svchost.exe[1224] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\svchost.exe[1372] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1400] kernel32.dll!SetUnhandledExceptionFilter 76263162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1400] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1540] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Program Files\blueconnect\DataCardMonitor.exe[1556] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\Explorer.EXE[1564] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1636] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text ... .text C:\Windows\WindowsMobile\wmdcBase.exe[2700] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 000603FC .text C:\Windows\WindowsMobile\wmdcBase.exe[2700] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 000601F8 .text C:\Windows\WindowsMobile\wmdcBase.exe[2700] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\WindowsMobile\wmdcBase.exe[2700] USER32.dll!UnhookWindowsHookEx 77B4CC7B 5 Bytes JMP 00100A08 .text C:\Windows\WindowsMobile\wmdcBase.exe[2700] USER32.dll!UnhookWinEvent 77B4D924 5 Bytes JMP 001003FC .text C:\Windows\WindowsMobile\wmdcBase.exe[2700] USER32.dll!SetWindowsHookExW 77B5210A 5 Bytes JMP 00100804 .text C:\Windows\WindowsMobile\wmdcBase.exe[2700] USER32.dll!SetWinEventHook 77B5507E 5 Bytes JMP 001001F8 .text C:\Windows\WindowsMobile\wmdcBase.exe[2700] USER32.dll!SetWindowsHookExA 77B76DFA 5 Bytes JMP 00100600 .text C:\Windows\system32\svchost.exe[2756] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[2756] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[2756] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\svchost.exe[2756] USER32.dll!UnhookWindowsHookEx 77B4CC7B 5 Bytes JMP 001E0A08 .text C:\Windows\system32\svchost.exe[2756] USER32.dll!UnhookWinEvent 77B4D924 5 Bytes JMP 001E03FC .text C:\Windows\system32\svchost.exe[2756] USER32.dll!SetWindowsHookExW 77B5210A 5 Bytes JMP 001E0804 .text C:\Windows\system32\svchost.exe[2756] USER32.dll!SetWinEventHook 77B5507E 5 Bytes JMP 001E01F8 .text C:\Windows\system32\svchost.exe[2756] USER32.dll!SetWindowsHookExA 77B76DFA 5 Bytes JMP 001E0600 .text C:\Windows\System32\svchost.exe[2996] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[2996] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[2996] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[3328] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Users\Jacek\AppData\Roaming\blueconnect\ouc.exe[3452] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 001703FC .text C:\Users\Jacek\AppData\Roaming\blueconnect\ouc.exe[3452] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 001701F8 .text C:\Users\Jacek\AppData\Roaming\blueconnect\ouc.exe[3452] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3484] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 000603FC .text C:\Windows\system32\SearchIndexer.exe[3484] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 000601F8 .text C:\Windows\system32\SearchIndexer.exe[3484] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3484] USER32.dll!UnhookWindowsHookEx 77B4CC7B 5 Bytes JMP 00090A08 .text C:\Windows\system32\SearchIndexer.exe[3484] USER32.dll!UnhookWinEvent 77B4D924 5 Bytes JMP 000903FC .text C:\Windows\system32\SearchIndexer.exe[3484] USER32.dll!SetWindowsHookExW 77B5210A 5 Bytes JMP 00090804 .text C:\Windows\system32\SearchIndexer.exe[3484] USER32.dll!SetWinEventHook 77B5507E 5 Bytes JMP 000901F8 .text C:\Windows\system32\SearchIndexer.exe[3484] USER32.dll!SetWindowsHookExA 77B76DFA 5 Bytes JMP 00090600 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3508] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 001603FC .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3508] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 001601F8 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3508] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3508] USER32.dll!UnhookWindowsHookEx 77B4CC7B 5 Bytes JMP 00200A08 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3508] USER32.dll!UnhookWinEvent 77B4D924 5 Bytes JMP 002003FC .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3508] USER32.dll!SetWindowsHookExW 77B5210A 5 Bytes JMP 00200804 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3508] USER32.dll!SetWinEventHook 77B5507E 5 Bytes JMP 002001F8 .text C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3508] USER32.dll!SetWindowsHookExA 77B76DFA 5 Bytes JMP 00200600 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3660] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 001603FC .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3660] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 001601F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3660] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3660] USER32.dll!UnhookWindowsHookEx 77B4CC7B 5 Bytes JMP 005C0A08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3660] USER32.dll!UnhookWinEvent 77B4D924 5 Bytes JMP 005C03FC .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3660] USER32.dll!SetWindowsHookExW 77B5210A 5 Bytes JMP 005C0804 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3660] USER32.dll!SetWinEventHook 77B5507E 5 Bytes JMP 005C01F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3660] USER32.dll!SetWindowsHookExA 77B76DFA 5 Bytes JMP 005C0600 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[3668] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 000603FC .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[3668] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 000601F8 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[3668] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[3668] USER32.dll!UnhookWindowsHookEx 77B4CC7B 5 Bytes JMP 000F0A08 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[3668] USER32.dll!UnhookWinEvent 77B4D924 5 Bytes JMP 000F03FC .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[3668] USER32.dll!SetWindowsHookExW 77B5210A 5 Bytes JMP 000F0804 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[3668] USER32.dll!SetWinEventHook 77B5507E 5 Bytes JMP 000F01F8 .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[3668] USER32.dll!SetWindowsHookExA 77B76DFA 5 Bytes JMP 000F0600 .text C:\Windows\system32\SearchProtocolHost.exe[3708] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 000503FC .text C:\Windows\system32\SearchProtocolHost.exe[3708] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 000501F8 .text C:\Windows\system32\SearchProtocolHost.exe[3708] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\SearchProtocolHost.exe[3708] USER32.dll!UnhookWindowsHookEx 77B4CC7B 5 Bytes JMP 00080A08 .text C:\Windows\system32\SearchProtocolHost.exe[3708] USER32.dll!UnhookWinEvent 77B4D924 5 Bytes JMP 000803FC .text C:\Windows\system32\SearchProtocolHost.exe[3708] USER32.dll!SetWindowsHookExW 77B5210A 5 Bytes JMP 00080804 .text C:\Windows\system32\SearchProtocolHost.exe[3708] USER32.dll!SetWinEventHook 77B5507E 5 Bytes JMP 000801F8 .text C:\Windows\system32\SearchProtocolHost.exe[3708] USER32.dll!SetWindowsHookExA 77B76DFA 5 Bytes JMP 00080600 .text C:\Windows\system32\SearchFilterHost.exe[3728] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 000A03FC .text C:\Windows\system32\SearchFilterHost.exe[3728] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 000A01F8 .text C:\Windows\system32\SearchFilterHost.exe[3728] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\SearchFilterHost.exe[3728] USER32.dll!UnhookWindowsHookEx 77B4CC7B 5 Bytes JMP 00240A08 .text C:\Windows\system32\SearchFilterHost.exe[3728] USER32.dll!UnhookWinEvent 77B4D924 5 Bytes JMP 002403FC .text C:\Windows\system32\SearchFilterHost.exe[3728] USER32.dll!SetWindowsHookExW 77B5210A 5 Bytes JMP 00240804 .text C:\Windows\system32\SearchFilterHost.exe[3728] USER32.dll!SetWinEventHook 77B5507E 5 Bytes JMP 002401F8 .text C:\Windows\system32\SearchFilterHost.exe[3728] USER32.dll!SetWindowsHookExA 77B76DFA 5 Bytes JMP 00240600 .text C:\Users\Jacek\Desktop\gmer.exe[3884] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 001603FC .text C:\Users\Jacek\Desktop\gmer.exe[3884] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 001601F8 .text C:\Users\Jacek\Desktop\gmer.exe[3884] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Users\Jacek\Desktop\gmer.exe[3884] USER32.dll!UnhookWindowsHookEx 77B4CC7B 5 Bytes JMP 00310A08 .text C:\Users\Jacek\Desktop\gmer.exe[3884] USER32.dll!UnhookWinEvent 77B4D924 5 Bytes JMP 003103FC .text C:\Users\Jacek\Desktop\gmer.exe[3884] USER32.dll!SetWindowsHookExW 77B5210A 5 Bytes JMP 00310804 .text C:\Users\Jacek\Desktop\gmer.exe[3884] USER32.dll!SetWinEventHook 77B5507E 5 Bytes JMP 003101F8 .text C:\Users\Jacek\Desktop\gmer.exe[3884] USER32.dll!SetWindowsHookExA 77B76DFA 5 Bytes JMP 00310600 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4020] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 001603FC .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4020] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 001601F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4020] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4020] USER32.dll!UnhookWindowsHookEx 77B4CC7B 5 Bytes JMP 00240A08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4020] USER32.dll!UnhookWinEvent 77B4D924 5 Bytes JMP 002403FC .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4020] USER32.dll!SetWindowsHookExW 77B5210A 5 Bytes JMP 00240804 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4020] USER32.dll!SetWinEventHook 77B5507E 5 Bytes JMP 002401F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4020] USER32.dll!SetWindowsHookExA 77B76DFA 5 Bytes JMP 00240600 .text C:\Windows\system32\svchost.exe[5712] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[5712] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[5712] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\svchost.exe[5712] USER32.dll!UnhookWindowsHookEx 77B4CC7B 5 Bytes JMP 008E0A08 .text C:\Windows\system32\svchost.exe[5712] USER32.dll!UnhookWinEvent 77B4D924 5 Bytes JMP 008E03FC .text C:\Windows\system32\svchost.exe[5712] USER32.dll!SetWindowsHookExW 77B5210A 5 Bytes JMP 008E0804 .text C:\Windows\system32\svchost.exe[5712] USER32.dll!SetWinEventHook 77B5507E 5 Bytes JMP 008E01F8 .text C:\Windows\system32\svchost.exe[5712] USER32.dll!SetWindowsHookExA 77B76DFA 5 Bytes JMP 008E0600 .text C:\Windows\system32\wbem\wmiprvse.exe[5880] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 000603FC .text C:\Windows\system32\wbem\wmiprvse.exe[5880] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 000601F8 .text C:\Windows\system32\wbem\wmiprvse.exe[5880] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[5880] USER32.dll!UnhookWindowsHookEx 77B4CC7B 5 Bytes JMP 00140A08 .text C:\Windows\system32\wbem\wmiprvse.exe[5880] USER32.dll!UnhookWinEvent 77B4D924 5 Bytes JMP 001403FC .text C:\Windows\system32\wbem\wmiprvse.exe[5880] USER32.dll!SetWindowsHookExW 77B5210A 5 Bytes JMP 00140804 .text C:\Windows\system32\wbem\wmiprvse.exe[5880] USER32.dll!SetWinEventHook 77B5507E 5 Bytes JMP 001401F8 .text C:\Windows\system32\wbem\wmiprvse.exe[5880] USER32.dll!SetWindowsHookExA 77B76DFA 5 Bytes JMP 00140600 .text C:\Windows\System32\svchost.exe[6124] ntdll.dll!LdrUnloadDll 77D6BF1F 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[6124] ntdll.dll!LdrLoadDll 77D6F625 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[6124] kernel32.dll!GetBinaryTypeW + 70 76277984 1 Byte [62] .text C:\Windows\System32\svchost.exe[6124] USER32.dll!UnhookWindowsHookEx 77B4CC7B 5 Bytes JMP 00290A08 .text C:\Windows\System32\svchost.exe[6124] USER32.dll!UnhookWinEvent 77B4D924 5 Bytes JMP 002903FC .text C:\Windows\System32\svchost.exe[6124] USER32.dll!SetWindowsHookExW 77B5210A 5 Bytes JMP 00290804 .text C:\Windows\System32\svchost.exe[6124] USER32.dll!SetWinEventHook 77B5507E 5 Bytes JMP 002901F8 .text C:\Windows\System32\svchost.exe[6124] USER32.dll!SetWindowsHookExA 77B76DFA 5 Bytes JMP 00290600 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1400] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [7579F6D0] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\Explorer.EXE[1564] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [747C2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1564] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [747A5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1564] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [747A56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1564] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [747C250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1564] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [747B8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1564] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [747B4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1564] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [747B50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1564] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [747B51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1564] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [747B66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1564] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [747B82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1564] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [747B8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1564] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [747B907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1564] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [747BE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1564] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [747B4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Program Files\Alwil Software\Avast5\AvastUI.exe[2500] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [7579F6D0] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\BTHUSB \Device\00000079 bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\BTHUSB \Device\0000007b bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\2c8158be9827 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\2c8158be9827@0026b0cb1493 0x79 0x1E 0xAB 0x61 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\2c8158be9827@380a9474644a 0xD1 0x2D 0xBC 0x37 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\2c8158be9827@505663b3ba7b 0xAF 0xB6 0x35 0xA7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\2c8158be9827 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\2c8158be9827@0026b0cb1493 0x79 0x1E 0xAB 0x61 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\2c8158be9827@380a9474644a 0xD1 0x2D 0xBC 0x37 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\2c8158be9827@505663b3ba7b 0xAF 0xB6 0x35 0xA7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{632E06A8-56FB-41ED-B5C0-EF2D15D09C4F} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{632E06A8-56FB-41ED-B5C0-EF2D15D09C4F} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{632E06A8-56FB-41ED-B5C0-EF2D15D09C4F}@Path \Microsoft\Windows Defender\MP Scheduled Scan Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{632E06A8-56FB-41ED-B5C0-EF2D15D09C4F}@Triggers 0x15 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{632E06A8-56FB-41ED-B5C0-EF2D15D09C4F}@DynamicInfo 0x03 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows Defender\MP Scheduled Scan@Id {632E06A8-56FB-41ED-B5C0-EF2D15D09C4F} ---- EOF - GMER 1.0.15 ----