GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2013-01-03 11:51:20 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-5 WDC_WD1600BEVT-22ZCT0 rev.11.01A11 Running: 0wfq7l39.exe; Driver: C:\DOCUME~1\WACICI~1\USTAWI~1\Temp\kwloiuog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA8A334BA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA8AE0C22] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xA8A33ED6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA8A75811] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA8A3EFA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA8A3EFF4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA8A3F176] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA8A751C5] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA8A3EF16] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA8A3F038] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA8A3EF5E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xA8A3411C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA8A3F130] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xA8A3493E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA8A33508] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA8A75ED7] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA8A7618D] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA8A381C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA8A75D42] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA8A75BAD] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA8AE0CEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA8A33170] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA8A33556] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA8A38534] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA8A353A6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA8A3EFD2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA8A3F016] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA8A3F19A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA8A75521] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA8A3EF3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA8A37C3E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA8A3F0BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA8A3EF86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA8A37F14] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA8A3F154] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA8AE0E4A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA8A75A28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA8A35272] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA8A7587A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xA8A34DD4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA8AED7D2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA8A74838] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA8A335A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA8A335F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xA8A347BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA8A331FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA8A333AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA8A75FDE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA8A33350] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xA8A34AF8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xA8A34C54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA8A3341A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xA8A344D4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xA8A34636] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0xA8ADF41C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA8A33640] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xA8A33F1A] INT 0x62 ? 89E44BF8 INT 0xA4 ? 89C80BF8 INT 0xB4 ? 89E44BF8 INT 0xB4 ? 89E44BF8 INT 0xB4 ? 89C80BF8 INT 0xB4 ? 89E44BF8 Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA8AF9E56] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2CE4 80503AB8 4 Bytes JMP C4A8AE0C .text ntkrnlpa.exe!ZwCallbackReturn + 2EE4 80503CB8 12 Bytes [A4, 35, A3, A8, F2, 35, A3, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2F8C 80503D60 12 Bytes [F8, 4A, A3, A8, 54, 4C, A3, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A4F7E 4 Bytes CALL A8A35A77 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BAF9A 5 Bytes JMP A8AF6CF6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 805C18D0 5 Bytes JMP A8AF8810 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFA2E 7 Bytes JMP A8AF9E5A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ? spib.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload B958162C 5 Bytes JMP 89C801D8 .text win32k.sys!EngFreeUserMem + 674 BF809B45 5 Bytes JMP A8A39B4C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFreeUserMem + 35D0 BF80CAA1 5 Bytes JMP A8A39A3C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSurface + 45 BF80FBC0 5 Bytes JMP A8A399F6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!BRUSHOBJ_pvAllocRbrush + 11F0 BF81C962 5 Bytes JMP A8A390A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPaint + 4EF BF8255ED 5 Bytes JMP A8A387C4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + 1E5F BF8341A1 5 Bytes JMP A8A39CB6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + 237D BF8346BF 5 Bytes JMP A8A398FC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + 4564 BF8368A6 5 Bytes JMP A8A39EBE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + EE3F BF841181 5 Bytes JMP A8A38834 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!FONTOBJ_pxoGetXform + DE42 BF85AD4E 5 Bytes JMP A8A38688 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMulDiv + B5F2 BF8670A0 5 Bytes JMP A8A39090 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 3474 BF87111B 5 Bytes JMP A8A38C1E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 34FF BF8711A6 4 Bytes JMP A8A38EE4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStretchBlt + 35C1 BF87593B 5 Bytes JMP A8A39A86 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 35FB BF894195 5 Bytes JMP A8A38CDE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 411E BF894CB8 5 Bytes JMP A8A38E9E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetLastError + 1606 BF8B1EF6 5 Bytes JMP A8A39182 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGradientFill + 3AA1 BF8B6854 5 Bytes JMP A8A39BFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStretchBltROP + 33F7 BF8BA1A0 5 Bytes JMP A8A3916A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStretchBltROP + 34B7 BF8BA260 5 Bytes JMP A8A38670 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStretchBltROP + 8A22 BF8BF7CB 5 Bytes JMP A8A39E1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAlphaBlend + 3E8 BF8C333C 4 Bytes JMP A8A38944 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 1517 BF8EB97D 5 Bytes JMP A8A38A1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 1797 BF8EBBFD 5 Bytes JMP A8A38B48 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + B223 BF8F5689 5 Bytes JMP A8A390C0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + 19EF BF8F9A43 5 Bytes JMP A8A3856A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 19C1 BF913245 5 Bytes JMP A8A38760 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 2595 BF913E19 5 Bytes JMP A8A388F0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 4EF4 BF916778 5 Bytes JMP A8A38FFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 18EC BF94468A 5 Bytes JMP A8A39D74 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[188] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[188] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[360] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[624] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[692] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[692] KERNEL32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[716] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\services.exe[760] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\services.exe[760] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\savedump.exe[772] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\savedump.exe[772] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[780] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[780] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe[928] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe[928] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1044] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1044] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1244] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Lenovo\Energy Management\utility.exe[1276] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\Lenovo\Energy Management\utility.exe[1276] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[1348] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[1348] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\igfxtray.exe[1440] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\igfxtray.exe[1440] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\hkcmd.exe[1448] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\hkcmd.exe[1448] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[1456] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[1456] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text D:\programy\Alwil Software\Avast5\AvastSvc.exe[1512] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text D:\programy\Alwil Software\Avast5\AvastSvc.exe[1512] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text D:\programy\Alwil Software\Avast5\AvastSvc.exe[1512] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1568] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1568] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1656] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Java\jre6\bin\jqs.exe[1708] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\Java\jre6\bin\jqs.exe[1708] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\igfxsrvc.exe[1720] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\igfxsrvc.exe[1720] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[1732] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\Lenovo\Energy Management\Energy Management.exe[1732] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\igfxpers.exe[1752] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\igfxpers.exe[1752] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1772] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1772] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[1816] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[1816] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1856] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1856] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1860] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[1872] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[1872] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe[1892] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\Program Files\Lenovo\OneKey App\System Repair\UpdateMonitor.exe[1892] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text D:\programy\Alwil Software\Avast5\avastUI.exe[2012] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text D:\programy\Alwil Software\Avast5\avastUI.exe[2012] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE[2176] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE[2176] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[2720] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[2720] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3236] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3236] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3236] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3236] KERNEL32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text D:\MOZILLA download\0wfq7l39.exe[3556] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003C01F8 .text D:\MOZILLA download\0wfq7l39.exe[3556] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text D:\MOZILLA download\0wfq7l39.exe[3556] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 003C03FC .text D:\MOZILLA download\0wfq7l39.exe[3556] KERNEL32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text D:\MOZILLA download\0wfq7l39.exe[3556] ADVAPI32.dll!SetServiceObjectSecurity 77E26C29 5 Bytes JMP 009B1014 .text D:\MOZILLA download\0wfq7l39.exe[3556] ADVAPI32.dll!ChangeServiceConfigA 77E26D11 5 Bytes JMP 009B0804 .text D:\MOZILLA download\0wfq7l39.exe[3556] ADVAPI32.dll!ChangeServiceConfigW 77E26EA9 5 Bytes JMP 009B0A08 .text D:\MOZILLA download\0wfq7l39.exe[3556] ADVAPI32.dll!ChangeServiceConfig2A 77E26FA9 5 Bytes JMP 009B0C0C .text D:\MOZILLA download\0wfq7l39.exe[3556] ADVAPI32.dll!ChangeServiceConfig2W 77E27031 5 Bytes JMP 009B0E10 .text D:\MOZILLA download\0wfq7l39.exe[3556] ADVAPI32.dll!CreateServiceA 77E270B9 5 Bytes JMP 009B01F8 .text D:\MOZILLA download\0wfq7l39.exe[3556] ADVAPI32.dll!CreateServiceW 77E27251 5 Bytes JMP 009B03FC .text D:\MOZILLA download\0wfq7l39.exe[3556] ADVAPI32.dll!DeleteService 77E27359 5 Bytes JMP 009B0600 .text D:\MOZILLA download\0wfq7l39.exe[3556] USER32.dll!UnhookWindowsHookEx 7E36F21E 5 Bytes JMP 009C0A08 .text D:\MOZILLA download\0wfq7l39.exe[3556] USER32.dll!SetWindowsHookExW 7E37DDB5 5 Bytes JMP 009C0804 .text D:\MOZILLA download\0wfq7l39.exe[3556] USER32.dll!SetWindowsHookExA 7E3811D1 5 Bytes JMP 009C0600 .text D:\MOZILLA download\0wfq7l39.exe[3556] USER32.dll!SetWinEventHook 7E3817B7 5 Bytes JMP 009C01F8 .text D:\MOZILLA download\0wfq7l39.exe[3556] USER32.dll!UnhookWinEvent 7E38186C 5 Bytes JMP 009C03FC .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4016] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 003001F8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4016] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916AC2 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4016] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 003003FC .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4016] KERNEL32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] spib.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] spib.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] spib.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] spib.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] spib.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] spib.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002 IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000 IAT D:\programy\Alwil Software\Avast5\AvastSvc.exe[1512] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] D:\programy\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT D:\programy\Alwil Software\Avast5\avastUI.exe[2012] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] D:\programy\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\Ntfs \Ntfs 89E431F8 AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo) AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\usbehci \Device\USBPDO-0 89C501F8 Device \Driver\usbuhci \Device\USBPDO-1 89C7F1F8 Device \Driver\usbuhci \Device\USBPDO-2 89C7F1F8 Device \Driver\usbuhci \Device\USBPDO-3 89C7F1F8 Device \Driver\usbuhci \Device\USBPDO-4 89C7F1F8 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\Ftdisk \Device\HarddiskVolume1 89DD51F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 89DD51F8 Device \Driver\atapi \Device\Ide\IdePort0 89E441F8 Device \Driver\atapi \Device\Ide\IdePort1 89E441F8 Device \Driver\atapi \Device\Ide\IdePort2 89E441F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 89E441F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 89B52500 Device \Driver\NetBT \Device\NetbiosSmb 89B52500 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\NetBT \Device\NetBT_Tcpip_{365C0A87-581A-4848-9E10-8F1D0082379F} 89B52500 Device \Driver\usbuhci \Device\USBFDO-0 89C7F1F8 Device \Driver\usbuhci \Device\USBFDO-1 89C7F1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89B81500 Device \Driver\usbuhci \Device\USBFDO-2 89C7F1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89B81500 Device \Driver\usbuhci \Device\USBFDO-3 89C7F1F8 Device \Driver\usbehci \Device\USBFDO-4 89C501F8 Device \Driver\Ftdisk \Device\FtControl 89DD51F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4A 0x09 0xDF 0x37 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4A 0x09 0xDF 0x37 ... ---- EOF - GMER 1.0.15 ----