GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-09-10 11:50:43 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 SAMSUNG_HD502HJ rev.1AJ10001 Running: eqip5cf5.exe; Driver: C:\Users\henry\AppData\Local\Temp\awddikoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x9123C708] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x91D217C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x9123D11C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x91247F28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x91247F74] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x912480F6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x91247E96] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x91D21BBA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x91247EDE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x9123D310] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x9123D498] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x912480B0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x9123DA9C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x9123C756] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x91D218AC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x9123C3BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x9123C7A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x91241456] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x9123E464] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x91247F52] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x91247F96] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x9124811A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x91247EBC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x9124803A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x91247F06] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x912480D4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x91D21A2C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x9123E330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x9123E06C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x9123C7F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x9123C840] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x9123D91C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x9123C448] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x9123C5F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x9123C59E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x9123DBFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x9123DD5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x9123C668] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x91D21AF6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x9123D794] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x9123C88E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x91D21962] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x91D39966] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 83E3F3C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83E78D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 83E7FD80 4 Bytes [08, C7, 23, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 83E7FDA8 4 Bytes [C8, 17, D2, 91] {ENTER 0xd217, 0x91} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 83E7FE08 4 Bytes [1C, D1, 23, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 83E7FE5C 8 Bytes [28, 7F, 24, 91, 74, 7F, 24, ...] {SUB [EDI+0x24], BH; XCHG ECX, EAX; JZ 0x85; AND AL, 0x91} .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 83E7FE68 4 Bytes [F6, 80, 24, 91] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8400CC64 5 Bytes JMP 91D36806 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 84025290 5 Bytes JMP 91D38338 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 8403A3D7 4 Bytes CALL 9123EB07 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 840541E0 4 Bytes CALL 9123EB1D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 840DE11A 7 Bytes JMP 91D3996A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text win32k.sys!EngFntCacheLookUp + 8B1B 9B9209D5 5 Bytes JMP 91241DDA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateRectRgn + 3819 9B934AA1 5 Bytes JMP 91241F20 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateRectRgn + 47FC 9B935A84 5 Bytes JMP 91241C00 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + 310 9B9513CD 5 Bytes JMP 912429A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + 4C63 9B955D20 5 Bytes JMP 912416E6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + 60B0 9B95716D 5 Bytes JMP 91242BD8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + BE21 9B95CEDE 5 Bytes JMP 91241FB2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + C070 9B95D12D 5 Bytes JMP 912420A4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMapFontFileFD + 650 9B976BE5 5 Bytes JMP 9124148C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMapFontFileFD + 70E 9B976CA3 5 Bytes JMP 91241FCA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMapFontFileFD + 38FE 9B979E93 5 Bytes JMP 91241592 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMapFontFileFD + 39BC 9B979F51 5 Bytes JMP 912415AA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngIsSemaphoreOwnedByCurrentThread + 1EDA 9B97E5C5 5 Bytes JMP 91241E06 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + 2B26 9B988019 3 Bytes JMP 91241B40 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + 2B2A 9B98801D 1 Byte [F5] .text win32k.sys!EngUnmapFontFileFD + ACDC 9B9901CF 3 Bytes JMP 91241756 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + ACE0 9B9901D3 1 Byte [F5] .text win32k.sys!EngUnmapFontFileFD + 14F8D 9B99A480 5 Bytes JMP 9124286E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAlphaBlend + 5066 9B9B1BDE 5 Bytes JMP 91242918 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngBitBlt + 42AA 9B9BF581 5 Bytes JMP 91242DE0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnlockSurface + B238 9B9D4DF7 5 Bytes JMP 9124295E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnlockSurface + CBF7 9B9D67B6 5 Bytes JMP 91244854 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteClip + 480C 9B9E765B 5 Bytes JMP 91241682 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngEqualRgn + 41B2 9B9F55EC 5 Bytes JMP 91241A6A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngEqualRgn + B3FE 9B9FC838 5 Bytes JMP 91242C96 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteRgn + 2198 9BA135E7 5 Bytes JMP 9124193E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 8676 9BA3471E 5 Bytes JMP 91242D3E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 2EC6 9BA4C703 5 Bytes JMP 91242B20 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 3457 9BA4CC94 5 Bytes JMP 91241812 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 6545 9BA4FD82 5 Bytes JMP 91241FE2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 9678 9BA52EB5 5 Bytes JMP 91241866 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + BF49 9BA55786 5 Bytes JMP 9124208C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetCurrentGamma + 63F2 9BA6192E 5 Bytes JMP 912419D4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\csrss.exe[512] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[572] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[588] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Windows\system32\services.exe[632] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Windows\system32\winlogon.exe[672] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1396] kernel32.dll!SetUnhandledExceptionFilter 7651F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1396] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1448] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1592] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1628] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1708] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text ... .text C:\Windows\System32\svchost.exe[1800] ntdll.dll!LdrUnloadDll 77D9C86E 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[1800] ntdll.dll!LdrLoadDll 77DA223E 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[1800] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[1800] USER32.dll!UnhookWindowsHookEx 7760ADF9 5 Bytes JMP 00200A08 .text C:\Windows\System32\svchost.exe[1800] USER32.dll!UnhookWinEvent 7760B750 5 Bytes JMP 002003FC .text C:\Windows\System32\svchost.exe[1800] USER32.dll!SetWindowsHookExW 7760E30C 5 Bytes JMP 00200804 .text C:\Windows\System32\svchost.exe[1800] USER32.dll!SetWinEventHook 776124DC 5 Bytes JMP 002001F8 .text C:\Windows\System32\svchost.exe[1800] USER32.dll!SetWindowsHookExA 77636D0C 5 Bytes JMP 00200600 .text C:\Windows\system32\svchost.exe[1880] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe[1932] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[2076] ntdll.dll!LdrUnloadDll 77D9C86E 5 Bytes JMP 000503FC .text C:\Windows\system32\taskhost.exe[2076] ntdll.dll!LdrLoadDll 77DA223E 5 Bytes JMP 000501F8 .text C:\Windows\system32\taskhost.exe[2076] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[2076] USER32.dll!UnhookWindowsHookEx 7760ADF9 5 Bytes JMP 000F0A08 .text C:\Windows\system32\taskhost.exe[2076] USER32.dll!UnhookWinEvent 7760B750 5 Bytes JMP 000F03FC .text C:\Windows\system32\taskhost.exe[2076] USER32.dll!SetWindowsHookExW 7760E30C 5 Bytes JMP 000F0804 .text C:\Windows\system32\taskhost.exe[2076] USER32.dll!SetWinEventHook 776124DC 5 Bytes JMP 000F01F8 .text C:\Windows\system32\taskhost.exe[2076] USER32.dll!SetWindowsHookExA 77636D0C 5 Bytes JMP 000F0600 .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[2084] ntdll.dll!LdrUnloadDll 77D9C86E 5 Bytes JMP 001903FC .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[2084] ntdll.dll!LdrLoadDll 77DA223E 5 Bytes JMP 001901F8 .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[2084] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[2084] USER32.dll!UnhookWindowsHookEx 7760ADF9 5 Bytes JMP 00220A08 .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[2084] USER32.dll!UnhookWinEvent 7760B750 5 Bytes JMP 002203FC .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[2084] USER32.dll!SetWindowsHookExW 7760E30C 5 Bytes JMP 00220804 .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[2084] USER32.dll!SetWinEventHook 776124DC 5 Bytes JMP 002201F8 .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[2084] USER32.dll!SetWindowsHookExA 77636D0C 5 Bytes JMP 00220600 .text C:\Windows\system32\Dwm.exe[2120] ntdll.dll!LdrUnloadDll 77D9C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\Dwm.exe[2120] ntdll.dll!LdrLoadDll 77DA223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\Dwm.exe[2120] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[2120] USER32.dll!UnhookWindowsHookEx 7760ADF9 5 Bytes JMP 000F0A08 .text C:\Windows\system32\Dwm.exe[2120] USER32.dll!UnhookWinEvent 7760B750 5 Bytes JMP 000F03FC .text C:\Windows\system32\Dwm.exe[2120] USER32.dll!SetWindowsHookExW 7760E30C 5 Bytes JMP 000F0804 .text C:\Windows\system32\Dwm.exe[2120] USER32.dll!SetWinEventHook 776124DC 5 Bytes JMP 000F01F8 .text C:\Windows\system32\Dwm.exe[2120] USER32.dll!SetWindowsHookExA 77636D0C 5 Bytes JMP 000F0600 .text C:\Windows\Explorer.EXE[2148] ntdll.dll!LdrUnloadDll 77D9C86E 5 Bytes JMP 000A03FC .text C:\Windows\Explorer.EXE[2148] ntdll.dll!LdrLoadDll 77DA223E 5 Bytes JMP 000A01F8 .text C:\Windows\Explorer.EXE[2148] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Windows\Explorer.EXE[2148] USER32.dll!UnhookWindowsHookEx 7760ADF9 5 Bytes JMP 00160A08 .text C:\Windows\Explorer.EXE[2148] USER32.dll!UnhookWinEvent 7760B750 5 Bytes JMP 001603FC .text C:\Windows\Explorer.EXE[2148] USER32.dll!SetWindowsHookExW 7760E30C 5 Bytes JMP 00160804 .text C:\Windows\Explorer.EXE[2148] USER32.dll!SetWinEventHook 776124DC 5 Bytes JMP 001601F8 .text C:\Windows\Explorer.EXE[2148] USER32.dll!SetWindowsHookExA 77636D0C 5 Bytes JMP 00160600 .text C:\Windows\system32\taskeng.exe[2428] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2684] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Windows\system32\AUDIODG.EXE[3228] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3624] ntdll.dll!LdrUnloadDll 77D9C86E 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3624] ntdll.dll!LdrLoadDll 77DA223E 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3624] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3624] USER32.dll!UnhookWindowsHookEx 7760ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3624] USER32.dll!UnhookWinEvent 7760B750 5 Bytes JMP 001003FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3624] USER32.dll!SetWindowsHookExW 7760E30C 5 Bytes JMP 00100804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3624] USER32.dll!SetWinEventHook 776124DC 5 Bytes JMP 001001F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3624] USER32.dll!SetWindowsHookExA 77636D0C 5 Bytes JMP 00100600 .text C:\Windows\system32\svchost.exe[3688] ntdll.dll!LdrUnloadDll 77D9C86E 5 Bytes JMP 000603FC .text C:\Windows\system32\svchost.exe[3688] ntdll.dll!LdrLoadDll 77DA223E 5 Bytes JMP 000601F8 .text C:\Windows\system32\svchost.exe[3688] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3744] ntdll.dll!LdrUnloadDll 77D9C86E 5 Bytes JMP 000603FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3744] ntdll.dll!LdrLoadDll 77DA223E 5 Bytes JMP 000601F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3744] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3744] USER32.dll!UnhookWindowsHookEx 7760ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3744] USER32.dll!UnhookWinEvent 7760B750 5 Bytes JMP 001003FC .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3744] USER32.dll!SetWindowsHookExW 7760E30C 5 Bytes JMP 00100804 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3744] USER32.dll!SetWinEventHook 776124DC 5 Bytes JMP 001001F8 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3744] USER32.dll!SetWindowsHookExA 77636D0C 5 Bytes JMP 00100600 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3980] kernel32.dll!GetBinaryTypeW + 70 765369F4 1 Byte [62] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1396] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73EBF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\afwServ.exe[1448] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73EBF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2684] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73EBF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume12 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume13 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/AVAST Software) Device \Driver\ACPI_HAL \Device\00000057 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswFW.SYS (avast! Filtering TDI driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume11 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\0009dd5027c7 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\0009dd5027c7@00247d022488 0x6B 0xB5 0x1C 0xB5 ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\0009dd5027c7@9c1874f1ffe9 0x3E 0x30 0x00 0xA5 ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\0009dd5027c7@001c9addf29c 0x5A 0xCB 0x88 0x43 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0009dd5027c7 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0009dd5027c7@9c1874f1ffe9 0x3E 0x30 0x00 0xA5 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0009dd5027c7@001c9addf29c 0x5A 0xCB 0x88 0x43 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0009dd5027c7@001fe39ca42c 0xBE 0xB4 0x4D 0xF8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0009dd5027c7@6cd68a369847 0xDD 0x34 0x5B 0x84 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0009dd5027c7@782eef752019 0x94 0xB1 0x9B 0x25 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0009dd5027c7@00247d022488 0xB5 0xCC 0x36 0x75 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0009dd5027c7@2421abc7cf09 0x51 0x18 0x9F 0x36 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0009dd5027c7@90c1153ac01a 0x5B 0xDB 0x2E 0x92 ... Reg HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application@Sources MSDMine?DfSdk Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0009dd5027c7 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0009dd5027c7@9c1874f1ffe9 0x3E 0x30 0x00 0xA5 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0009dd5027c7@001c9addf29c 0x5A 0xCB 0x88 0x43 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0009dd5027c7@001fe39ca42c 0xBE 0xB4 0x4D 0xF8 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0009dd5027c7@6cd68a369847 0xDD 0x34 0x5B 0x84 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0009dd5027c7@782eef752019 0x94 0xB1 0x9B 0x25 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0009dd5027c7@00247d022488 0xB5 0xCC 0x36 0x75 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0009dd5027c7@2421abc7cf09 0x51 0x18 0x9F 0x36 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0009dd5027c7@90c1153ac01a 0x5B 0xDB 0x2E 0x92 ... Reg HKLM\SYSTEM\ControlSet003\services\eventlog\Application@Sources MSDMine?DfSdk ---- EOF - GMER 1.0.15 ----