GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-10 22:51:57 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600JB-00GVA0 rev.08.02D08 149,05GB Running: m0538gk7.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pxtdapow.sys ---- System - GMER 2.0 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xF36AE4BA] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwAllocateVirtualMemory [0xF7327088] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xF36AEED6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xF36F0811] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xF36B9FA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xF36B9FF4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xF36BA176] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xF36F01C5] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xF36B9F16] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xF36BA038] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xF36B9F5E] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwCreateThread [0xF73281E0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xF36BA130] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xF36AF93E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xF36AE508] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xF36F0ED7] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xF36F118D] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xF36B31C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xF36F0D42] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xF36F0BAD] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwFreeVirtualMemory [0xF7327306] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xF36AE170] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xF36AE556] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xF36B3534] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xF36B03A6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xF36B9FD2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xF36BA016] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xF36BA19A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xF36F0521] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xF36B9F3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xF36B2C3E] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwOpenSection [0xF7326ED2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xF36B9F86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xF36B2F14] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xF36BA154] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xF3783E4A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xF36F0A28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xF36B0272] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xF36F087A] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwQueueApcThread [0xF73282E2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF37907D2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xF36EF838] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xF36AE5A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xF36AE5F2] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwSetContextThread [0xF732832E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xF36AE1FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xF36AE3AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xF36F0FDE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xF36AE350] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xF36AFAF8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xF36AFC54] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwSystemDebugControl [0xF7326E00] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xF36AF4D4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xF36AF636] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0xF378241C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xF36AE640] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwWriteVirtualMemory [0xF7327416] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF379CE56] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.0 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 26C8 80501F18 12 Bytes [A4, E5, 6A, F3, F2, E5, 6A, ...] {MOVSB ; IN EAX, 0x6a; IN EAX, 0x6a; XOR DWORD [CS:EDX], -0x9} .text ntkrnlpa.exe!ZwCallbackReturn + 2770 80501FC0 12 Bytes [F8, FA, 6A, F3, 54, FC, 6A, ...] PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1E1E 5 Bytes JMP F3799CF6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 805B8C96 5 Bytes JMP F379B810 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C7540 7 Bytes JMP F379CE5A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6682380, 0x3DEB95, 0xE8000020] ? system32\drivers\xpsec.sys System nie może odnaleźć określonej ścieżki. ! ? system32\drivers\xcpip.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 2.0 ---- .text C:\WINDOWS\system32\svchost.exe[424] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[424] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[552] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[552] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[552] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00EB9293 .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[552] WS2_32.dll!send 71A54C27 5 Bytes JMP 00EB8DBF .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[552] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00EB9145 .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[552] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00EB8F11 .text C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe[552] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00EB8FE4 .text C:\WINDOWS\System32\smss.exe[668] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[688] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[688] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[716] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[716] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[740] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[740] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[740] Secur32.dll!LsaLogonUser 77FE33F1 5 Bytes JMP 00F52C81 .text C:\WINDOWS\system32\services.exe[784] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[784] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[796] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[956] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[956] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[956] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00969293 .text C:\WINDOWS\system32\nvsvc32.exe[956] WS2_32.dll!send 71A54C27 5 Bytes JMP 00968DBF .text C:\WINDOWS\system32\nvsvc32.exe[956] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00969145 .text C:\WINDOWS\system32\nvsvc32.exe[956] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00968F11 .text C:\WINDOWS\system32\nvsvc32.exe[956] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00968FE4 .text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[1092] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[1092] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[1092] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00E89293 .text C:\WINDOWS\system32\RUNDLL32.EXE[1092] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E88DBF .text C:\WINDOWS\system32\RUNDLL32.EXE[1092] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00E89145 .text C:\WINDOWS\system32\RUNDLL32.EXE[1092] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00E88F11 .text C:\WINDOWS\system32\RUNDLL32.EXE[1092] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00E88FE4 .text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1108] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe[1108] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[1120] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[1120] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[1120] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00AC9293 .text C:\WINDOWS\System32\alg.exe[1120] WS2_32.dll!send 71A54C27 5 Bytes JMP 00AC8DBF .text C:\WINDOWS\System32\alg.exe[1120] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00AC9145 .text C:\WINDOWS\System32\alg.exe[1120] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00AC8F11 .text C:\WINDOWS\System32\alg.exe[1120] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00AC8FE4 .text C:\WINDOWS\system32\svchost.exe[1160] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1160] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1236] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1348] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1348] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1348] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00E39293 .text D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1348] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E38DBF .text D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1348] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00E39145 .text D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1348] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00E38F11 .text D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1348] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00E38FE4 .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1372] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1372] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1372] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01209293 .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1372] WS2_32.dll!send 71A54C27 5 Bytes JMP 01208DBF .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1372] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01209145 .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1372] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01208F11 .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1372] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01208FE4 .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1524] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1524] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1524] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 014A9293 .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1524] WS2_32.dll!send 71A54C27 5 Bytes JMP 014A8DBF .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1524] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 014A9145 .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1524] WS2_32.dll!recv 71A5676F 5 Bytes JMP 014A8F11 .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1524] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 014A8FE4 .text C:\WINDOWS\Explorer.EXE[1564] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1564] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1564] USER32.dll!DisplayExitWindowsWarnings 7E3A9F91 5 Bytes JMP 00E92A93 .text C:\WINDOWS\Explorer.EXE[1564] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00ED9293 .text C:\WINDOWS\Explorer.EXE[1564] WS2_32.dll!send 71A54C27 5 Bytes JMP 00ED8DBF .text C:\WINDOWS\Explorer.EXE[1564] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00ED9145 .text C:\WINDOWS\Explorer.EXE[1564] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00ED8F11 .text C:\WINDOWS\Explorer.EXE[1564] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00ED8FE4 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1648] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1648] kernel32.dll!SetUnhandledExceptionFilter 7C8449CD 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1648] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1780] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1780] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1852] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1852] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1852] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00F29293 .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1852] WS2_32.dll!send 71A54C27 5 Bytes JMP 00F28DBF .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1852] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00F29145 .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1852] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00F28F11 .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1852] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00F28FE4 .text D:\Program Files\Ashampoo\Ashampoo WinOptimizer 2012\DfsdkS.exe[1888] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text D:\Program Files\Ashampoo\Ashampoo WinOptimizer 2012\DfsdkS.exe[1888] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text D:\Program Files\Ashampoo\Ashampoo WinOptimizer 2012\DfsdkS.exe[1888] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00E99293 .text D:\Program Files\Ashampoo\Ashampoo WinOptimizer 2012\DfsdkS.exe[1888] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E98DBF .text D:\Program Files\Ashampoo\Ashampoo WinOptimizer 2012\DfsdkS.exe[1888] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00E99145 .text D:\Program Files\Ashampoo\Ashampoo WinOptimizer 2012\DfsdkS.exe[1888] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00E98F11 .text D:\Program Files\Ashampoo\Ashampoo WinOptimizer 2012\DfsdkS.exe[1888] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00E98FE4 .text C:\WINDOWS\system32\FsUsbExService.Exe[1968] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\FsUsbExService.Exe[1968] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[2156] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[2156] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[2156] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01AE9293 .text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[2156] WS2_32.dll!send 71A54C27 5 Bytes JMP 01AE8DBF .text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[2156] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01AE9145 .text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[2156] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01AE8F11 .text C:\Program Files\Nero\Nero 7\InCD\InCD.exe[2156] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01AE8FE4 .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[2216] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[2216] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[2216] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00F29293 .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[2216] WS2_32.dll!send 71A54C27 5 Bytes JMP 00F28DBF .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[2216] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00F29145 .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[2216] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00F28F11 .text C:\Program Files\Cyberlink\Shared files\RichVideo.exe[2216] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00F28FE4 .text C:\Program Files\AVAST Software\Avast\avastUI.exe[2220] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[2220] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[2220] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01589293 .text C:\Program Files\AVAST Software\Avast\avastUI.exe[2220] WS2_32.dll!send 71A54C27 5 Bytes JMP 01588DBF .text C:\Program Files\AVAST Software\Avast\avastUI.exe[2220] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01589145 .text C:\Program Files\AVAST Software\Avast\avastUI.exe[2220] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01588F11 .text C:\Program Files\AVAST Software\Avast\avastUI.exe[2220] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01588FE4 .text C:\Program Files\Canon\CAL\CALMAIN.exe[2388] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Canon\CAL\CALMAIN.exe[2388] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Canon\CAL\CALMAIN.exe[2388] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00E09293 .text C:\Program Files\Canon\CAL\CALMAIN.exe[2388] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E08DBF .text C:\Program Files\Canon\CAL\CALMAIN.exe[2388] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00E09145 .text C:\Program Files\Canon\CAL\CALMAIN.exe[2388] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00E08F11 .text C:\Program Files\Canon\CAL\CALMAIN.exe[2388] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00E08FE4 .text C:\WINDOWS\System32\svchost.exe[2432] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[2432] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text D:\Program Files\m0538gk7.exe[2460] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text D:\Program Files\m0538gk7.exe[2460] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[2772] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[2772] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\wdfmgr.exe[3132] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wdfmgr.exe[3132] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\wdfmgr.exe[3132] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00979293 .text C:\WINDOWS\system32\wdfmgr.exe[3132] WS2_32.dll!send 71A54C27 5 Bytes JMP 00978DBF .text C:\WINDOWS\system32\wdfmgr.exe[3132] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00979145 .text C:\WINDOWS\system32\wdfmgr.exe[3132] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00978F11 .text C:\WINDOWS\system32\wdfmgr.exe[3132] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00978FE4 ---- User IAT/EAT - GMER 2.0 ---- IAT C:\WINDOWS\system32\services.exe[784] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[784] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 IAT C:\Program Files\AVAST Software\Avast\afwServ.exe[1524] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1648] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\avastUI.exe[2220] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Processes - GMER 2.0 ---- Library C:\WINDOWS\system32\AcSignIcon.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1564] 0x10000000 ---- Files - GMER 2.0 ---- File C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index66f.dat 0 bytes File C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP27B.tmp 0 bytes ---- EOF - GMER 2.0 ----