GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-12-28 18:55:31 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3160812A rev.2AAA Running: lhxul5mr.exe; Driver: C:\DOCUME~1\Mateusz\USTAWI~1\Temp\kxldrpob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xF47344BA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xF4809C22] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xF4734ED6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xF4776811] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xF473FFA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xF473FFF4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xF4740176] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xF47761C5] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xF473FF16] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xF4740038] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xF473FF5E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xF473511C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xF4740130] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xF473593E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xF4734508] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xF4776ED7] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xF477718D] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xF47391C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xF4776D42] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xF4776BAD] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xF4809CEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xF4734170] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xF4734556] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xF4739534] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xF47363A6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xF473FFD2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xF4740016] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xF474019A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xF4776521] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xF473FF3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xF4738C3E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xF47400BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xF473FF86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xF4738F14] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xF4740154] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xF4809E4A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xF4776A28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xF4736272] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xF477687A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xF4735DD4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF48167D2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xF4775838] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xF47345A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xF47345F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xF47357BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xF47341FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xF47343AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xF4776FDE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xF4734350] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xF4735AF8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xF4735C54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xF473441A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xF47354D4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xF4735636] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0xF480841C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xF4734640] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xF4734F1A] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF4822E56] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 198 804E2804 4 Bytes [EA, 9C, 80, F4] .text ntoskrnl.exe!_abnormal_termination + 398 804E2A04 12 Bytes [A4, 45, 73, F4, F2, 45, 73, ...] .text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [F8, 5A, 73, F4, 54, 5C, 73, ...] {CLC ; POP EDX; JAE 0xfffffffffffffff8; PUSH ESP; POP ESP; JAE 0xfffffffffffffffc; SBB AL, [EBX+ESI*2-0xc]} PAGE ntoskrnl.exe!ObInsertObject 8056513A 5 Bytes JMP F4821810 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056BB88 4 Bytes CALL F4736A77 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntoskrnl.exe!ZwCreateProcessEx 8058304C 7 Bytes JMP F4822E5A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059EA53 5 Bytes JMP F481FCF6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6E02380, 0x346307, 0xE8000020] .text win32k.sys!EngFreeUserMem + 674 BF80991D 5 Bytes JMP F473AB4C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFreeUserMem + 35D0 BF80C879 5 Bytes JMP F473AA3C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSurface + 45 BF813911 5 Bytes JMP F473A9F6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!BRUSHOBJ_pvAllocRbrush + 11D3 BF81C56B 5 Bytes JMP F473A0A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngSetLastError + 79A8 BF8240DB 5 Bytes JMP F47397C4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateBitmap + F9C BF828A45 5 Bytes JMP F473ACB6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + 2C50 BF831490 5 Bytes JMP F473AEBE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + B687 BF839EC7 5 Bytes JMP F473A8FC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!FONTOBJ_pxoGetXform + C2CF BF85176B 5 Bytes JMP F4739688 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + F17 BF85BC9A 5 Bytes JMP F473A16A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 3581 BF85E304 5 Bytes JMP F4739C1E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 360C BF85E38F 5 Bytes JMP F4739EE4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreatePalette + 88 BF85F600 5 Bytes JMP F4739670 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreatePalette + 5466 BF8649DE 5 Bytes JMP F473AA86 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 3651 BF87322E 5 Bytes JMP F4739CDE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 418E BF873D6B 5 Bytes JMP F4739E9E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetLastError + 1606 BF890E66 5 Bytes JMP F473A182 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGradientFill + 26EE BF894410 5 Bytes JMP F473ABFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStretchBltROP + 583 BF894EE8 5 Bytes JMP F473AE1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCopyBits + 3862 BF89C29E 5 Bytes JMP F473A090 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCopyBits + 4DF7 BF89D833 5 Bytes JMP F4739834 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngEraseSurface + A977 BF8C1CCC 5 Bytes JMP F4739944 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 1517 BF8CA15D 5 Bytes JMP F4739A1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 1797 BF8CA3DD 5 Bytes JMP F4739B48 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSemaphore + 3B2E BF8EBD71 5 Bytes JMP F473956A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSemaphore + CB31 BF8F4D74 5 Bytes JMP F473A0C0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 1A40 BF914401 5 Bytes JMP F4739760 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 2614 BF914FD5 5 Bytes JMP F47398F0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 4F8D BF91794E 5 Bytes JMP F4739FFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 1934 BF947AAD 5 Bytes JMP F473AD74 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ---- User code sections - GMER 1.0.15 ---- .text C:\Documents and Settings\Mateusz\Pulpit\lhxul5mr.exe[280] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Mateusz\Pulpit\lhxul5mr.exe[280] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[540] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003D01F8 .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003D03FC .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] user32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 010D0804 .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] user32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 010D0A08 .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] user32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 010D0600 .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] user32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 010D01F8 .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] user32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 010D03FC .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00DC1014 .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00DC0804 .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00DC0A08 .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00DC0C0C .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00DC0E10 .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 00DC01F8 .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00DC03FC .text C:\Documents and Settings\Mateusz\Pulpit\OTL.exe[584] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00DC0600 .text C:\WINDOWS\system32\csrss.exe[596] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[596] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[620] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[620] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\services.exe[664] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[664] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[676] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[676] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[840] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[840] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[884] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[952] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[952] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1136] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\svchost.exe[1300] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00BB1014 .text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00BB0804 .text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00BB0A08 .text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00BB0C0C .text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00BB0E10 .text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 00BB01F8 .text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00BB03FC .text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00BB0600 .text C:\WINDOWS\system32\wscntfy.exe[1368] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[1368] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1428] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1428] kernel32.dll!SetUnhandledExceptionFilter 7C8449CD 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1428] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1440] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1440] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1572] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1572] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1744] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003C01F8 .text C:\WINDOWS\system32\nvsvc32.exe[1744] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1744] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003C03FC .text C:\WINDOWS\system32\nvsvc32.exe[1744] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1744] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00851014 .text C:\WINDOWS\system32\nvsvc32.exe[1744] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00850804 .text C:\WINDOWS\system32\nvsvc32.exe[1744] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00850A08 .text C:\WINDOWS\system32\nvsvc32.exe[1744] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00850C0C .text C:\WINDOWS\system32\nvsvc32.exe[1744] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00850E10 .text C:\WINDOWS\system32\nvsvc32.exe[1744] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 008501F8 .text C:\WINDOWS\system32\nvsvc32.exe[1744] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 008503FC .text C:\WINDOWS\system32\nvsvc32.exe[1744] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00850600 .text C:\WINDOWS\system32\svchost.exe[2020] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[2020] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2020] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\svchost.exe[2020] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 00AC1014 .text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 00AC0804 .text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 00AC0A08 .text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 00AC0C0C .text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 00AC0E10 .text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 00AC01F8 .text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00AC03FC .text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 00AC0600 .text C:\WINDOWS\System32\alg.exe[2332] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003101F8 .text C:\WINDOWS\System32\alg.exe[2332] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2332] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003103FC .text C:\WINDOWS\System32\alg.exe[2332] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2512] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2512] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\vsnpstd3.exe[2568] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003C01F8 .text C:\WINDOWS\vsnpstd3.exe[2568] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\vsnpstd3.exe[2568] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003C03FC .text C:\WINDOWS\vsnpstd3.exe[2568] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01694470 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003103FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] KERNEL32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 018E047C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 018E0459 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] KERNEL32.dll!ValidateLocale + B1C8 7C8449C8 7 Bytes JMP 0169F972 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 022B0804 .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 01802157 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 022B0A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 022B0600 .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 022B01F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 022B03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 018E03DA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 02A71014 .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 02A70804 .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 02A70A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 02A70C0C .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 02A70E10 .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 02A701F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 02A703FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3100] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 02A70600 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3632] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003101F8 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3632] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3632] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003103FC .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3632] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3632] ADVAPI32.dll!SetServiceObjectSecurity 77E26D81 5 Bytes JMP 01761014 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3632] ADVAPI32.dll!ChangeServiceConfigA 77E26E69 5 Bytes JMP 01760804 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3632] ADVAPI32.dll!ChangeServiceConfigW 77E27001 5 Bytes JMP 01760A08 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3632] ADVAPI32.dll!ChangeServiceConfig2A 77E27101 5 Bytes JMP 01760C0C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3632] ADVAPI32.dll!ChangeServiceConfig2W 77E27189 5 Bytes JMP 01760E10 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3632] ADVAPI32.dll!CreateServiceA 77E27211 5 Bytes JMP 017601F8 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3632] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 017603FC .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3632] ADVAPI32.dll!DeleteService 77E274B1 5 Bytes JMP 01760600 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[664] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[664] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 IAT C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1428] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2512] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] C:\PROGRA~1\ALWILS~1\Avast5\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- EOF - GMER 1.0.15 ----