GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-19 23:33:38 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000070 ATA_____ rev.A___ 232,89GB Running: m57g1hli.exe; Driver: C:\Users\Lamer\AppData\Local\Temp\kwtoapow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8FA4B610] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x895B45FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8FA4C0E6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8FA57F18] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8FA57F64] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8FA580FE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8FA57E86] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x895B4992] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8FA57ECE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8FA4C5E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8FA4C800] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8FA580B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8FA4CE9C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8FA4B676] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0x8FA50596] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x895B46C2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x895B2C12] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8FA4B6DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8FA5098C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8FA4D92C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8FA57F42] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8FA57F86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8FA58122] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8FA57EAC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0x8FA4FE78] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8FA58036] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8FA57EF6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0x8FA5026E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8FA580DC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x895B4822] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8FA4D7F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x8FA4D506] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8FA4B742] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8FA4B7A8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8FA4CD16] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8FA4B2F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8FA4B4CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8FA4B45C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8FA4D066] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8FA4D1C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8FA4B556] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x895B48EA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8FA4CCF6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x895B2C42] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8FA4B80E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x895B476E] INT 0x51 ? 9BF7CA58 INT 0x71 ? 9BF7C558 INT 0x81 ? 9BF7C7D8 Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x895CDE00] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83043A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8307D212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 83084460 4 Bytes [10, B6, A4, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 83084488 4 Bytes [FA, 45, 5B, 89] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 830844E8 4 Bytes [E6, C0, A4, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 8308453C 8 Bytes [18, 7F, A5, 8F, 64, 7F, A5, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 83084548 4 Bytes [FE, 80, A5, 8F] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83211D4B 5 Bytes JMP 895CAC9A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 8322A380 5 Bytes JMP 895CC7CC \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 8323F4DF 4 Bytes CALL 8FA4DFEF \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 83259347 4 Bytes CALL 8FA4E005 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 832E321C 7 Bytes JMP 895CDE04 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text win32k.sys!EngFntCacheLookUp + 8B28 9FF80ACB 5 Bytes JMP 8FA514DC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateRectRgn + 3819 9FF94BA4 5 Bytes JMP 8FA51628 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateRectRgn + 47FC 9FF95B87 5 Bytes JMP 8FA512F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + 310 9FFB15AB 5 Bytes JMP 8FA521B2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + 4CE9 9FFB5F84 5 Bytes JMP 8FA50D54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + 6136 9FFB73D1 5 Bytes JMP 8FA523FA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + BEA3 9FFBD13E 5 Bytes JMP 8FA516CE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + C0F2 9FFBD38D 5 Bytes JMP 8FA517E2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMapFontFileFD + 650 9FFD6ED1 5 Bytes JMP 8FA509C2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMapFontFileFD + 70E 9FFD6F8F 5 Bytes JMP 8FA516EC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMapFontFileFD + 38FE 9FFDA17F 5 Bytes JMP 8FA50AD8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMapFontFileFD + 39BC 9FFDA23D 5 Bytes JMP 8FA50BF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngIsSemaphoreOwnedByCurrentThread + 1EDE 9FFDE8B5 5 Bytes JMP 8FA51508 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + 2B22 9FFE8315 5 Bytes JMP 8FA5122C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + ACE0 9FFF04D3 5 Bytes JMP 8FA50DF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + 14FA1 9FFFA794 5 Bytes JMP 8FA52060 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAlphaBlend + 506B A0011F7E 5 Bytes JMP 8FA52116 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngBitBlt + 42B4 A001F94B 5 Bytes JMP 8FA52614 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnlockSurface + B288 A0035243 5 Bytes JMP 8FA52162 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnlockSurface + CC47 A0036C02 5 Bytes JMP 8FA541FA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteClip + 48AD A0047B63 5 Bytes JMP 8FA50CDC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngEqualRgn + 41E2 A0055B52 5 Bytes JMP 8FA51150 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngEqualRgn + B479 A005CDE9 5 Bytes JMP 8FA524BE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteRgn + 2198 A0073C3F 5 Bytes JMP 8FA51008 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 8625 A0094D48 5 Bytes JMP 8FA5256C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 2EC7 A00ACCD0 5 Bytes JMP 8FA5233C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 3458 A00AD261 5 Bytes JMP 8FA50EBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 6547 A00B0350 5 Bytes JMP 8FA5170A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + 9687 A00B3490 5 Bytes JMP 8FA50F24 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + BF6E A00B5D77 5 Bytes JMP 8FA517C4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text ... .text win32k.sys!EngCTGetCurrentGamma + 640C A00C1F44 5 Bytes JMP 8FA510AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ASUS\ATK Hotkey\HControl.exe[488] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Windows\system32\csrss.exe[492] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[496] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[548] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text ... .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2144] ntdll.dll!LdrUnloadDll 76E1C8DE 5 Bytes JMP 001203FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2144] ntdll.dll!LdrLoadDll 76E222AE 5 Bytes JMP 001201F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2144] KERNEL32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2144] USER32.dll!UnhookWindowsHookEx 7516CC7B 5 Bytes JMP 00140A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2144] USER32.dll!UnhookWinEvent 7516D924 5 Bytes JMP 001403FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2144] USER32.dll!SetWindowsHookExW 7517210A 5 Bytes JMP 00140804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2144] USER32.dll!SetWinEventHook 7517507E 5 Bytes JMP 001401F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2144] USER32.dll!SetWindowsHookExA 75196DFA 5 Bytes JMP 00140600 .text C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe[2192] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2328] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynAsus.exe[2428] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2480] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2500] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text ... .text C:\Windows\System32\WUDFHost.exe[2724] ntdll.dll!LdrUnloadDll 76E1C8DE 5 Bytes JMP 000E03FC .text C:\Windows\System32\WUDFHost.exe[2724] ntdll.dll!LdrLoadDll 76E222AE 5 Bytes JMP 000E01F8 .text C:\Windows\System32\WUDFHost.exe[2724] KERNEL32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Windows\System32\WUDFHost.exe[2724] USER32.dll!UnhookWindowsHookEx 7516CC7B 5 Bytes JMP 00140A08 .text C:\Windows\System32\WUDFHost.exe[2724] USER32.dll!UnhookWinEvent 7516D924 5 Bytes JMP 001403FC .text C:\Windows\System32\WUDFHost.exe[2724] USER32.dll!SetWindowsHookExW 7517210A 5 Bytes JMP 00140804 .text C:\Windows\System32\WUDFHost.exe[2724] USER32.dll!SetWinEventHook 7517507E 5 Bytes JMP 001401F8 .text C:\Windows\System32\WUDFHost.exe[2724] USER32.dll!SetWindowsHookExA 75196DFA 5 Bytes JMP 00140600 .text C:\Windows\System32\svchost.exe[2780] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[2868] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2988] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Program Files\Intel\Bluetooth\BleServicesCtrl.exe[3012] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Windows\System32\rundll32.exe[3044] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3052] ntdll.dll!LdrUnloadDll 76E1C8DE 5 Bytes JMP 000703FC .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3052] ntdll.dll!LdrLoadDll 76E222AE 5 Bytes JMP 000701F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3052] KERNEL32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3052] USER32.dll!UnhookWindowsHookEx 7516CC7B 5 Bytes JMP 001B0A08 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3052] USER32.dll!UnhookWinEvent 7516D924 5 Bytes JMP 001B03FC .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3052] USER32.dll!SetWindowsHookExW 7517210A 5 Bytes JMP 001B0804 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3052] USER32.dll!SetWinEventHook 7517507E 5 Bytes JMP 001B01F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3052] USER32.dll!SetWindowsHookExA 75196DFA 5 Bytes JMP 001B0600 .text D:\Tools\Spybot - Search & Destroy\SDWinSec.exe[3096] ntdll.dll!LdrUnloadDll 76E1C8DE 5 Bytes JMP 001E03FC .text D:\Tools\Spybot - Search & Destroy\SDWinSec.exe[3096] ntdll.dll!LdrLoadDll 76E222AE 5 Bytes JMP 001E01F8 .text D:\Tools\Spybot - Search & Destroy\SDWinSec.exe[3096] KERNEL32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text D:\Tools\Spybot - Search & Destroy\SDWinSec.exe[3096] USER32.dll!UnhookWindowsHookEx 7516CC7B 5 Bytes JMP 001F0A08 .text D:\Tools\Spybot - Search & Destroy\SDWinSec.exe[3096] USER32.dll!UnhookWinEvent 7516D924 5 Bytes JMP 001F03FC .text D:\Tools\Spybot - Search & Destroy\SDWinSec.exe[3096] USER32.dll!SetWindowsHookExW 7517210A 5 Bytes JMP 001F0804 .text D:\Tools\Spybot - Search & Destroy\SDWinSec.exe[3096] USER32.dll!SetWinEventHook 7517507E 5 Bytes JMP 001F01F8 .text D:\Tools\Spybot - Search & Destroy\SDWinSec.exe[3096] USER32.dll!SetWindowsHookExA 75196DFA 5 Bytes JMP 001F0600 .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3584] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Windows\System32\svchost.exe[3592] ntdll.dll!LdrUnloadDll 76E1C8DE 5 Bytes JMP 000E03FC .text C:\Windows\System32\svchost.exe[3592] ntdll.dll!LdrLoadDll 76E222AE 5 Bytes JMP 000E01F8 .text C:\Windows\System32\svchost.exe[3592] KERNEL32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Windows\System32\svchost.exe[3592] user32.dll!UnhookWindowsHookEx 7516CC7B 5 Bytes JMP 00100A08 .text C:\Windows\System32\svchost.exe[3592] user32.dll!UnhookWinEvent 7516D924 5 Bytes JMP 001003FC .text C:\Windows\System32\svchost.exe[3592] user32.dll!SetWindowsHookExW 7517210A 5 Bytes JMP 00100804 .text C:\Windows\System32\svchost.exe[3592] user32.dll!SetWinEventHook 7517507E 5 Bytes JMP 001001F8 .text C:\Windows\System32\svchost.exe[3592] user32.dll!SetWindowsHookExA 75196DFA 5 Bytes JMP 00100600 .text C:\Windows\System32\alg.exe[4088] ntdll.dll!LdrUnloadDll 76E1C8DE 5 Bytes JMP 000B03FC .text C:\Windows\System32\alg.exe[4088] ntdll.dll!LdrLoadDll 76E222AE 5 Bytes JMP 000B01F8 .text C:\Windows\System32\alg.exe[4088] KERNEL32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Windows\System32\alg.exe[4088] USER32.dll!UnhookWindowsHookEx 7516CC7B 5 Bytes JMP 000D0A08 .text C:\Windows\System32\alg.exe[4088] USER32.dll!UnhookWinEvent 7516D924 5 Bytes JMP 000D03FC .text C:\Windows\System32\alg.exe[4088] USER32.dll!SetWindowsHookExW 7517210A 5 Bytes JMP 000D0804 .text C:\Windows\System32\alg.exe[4088] USER32.dll!SetWinEventHook 7517507E 5 Bytes JMP 000D01F8 .text C:\Windows\System32\alg.exe[4088] USER32.dll!SetWindowsHookExA 75196DFA 5 Bytes JMP 000D0600 .text C:\Windows\System32\svchost.exe[4124] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Program Files\Intel\Bluetooth\devmonsrv.exe[5968] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Program Files\Intel\Bluetooth\mediasrv.exe[6020] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Program Files\Intel\Bluetooth\obexsrv.exe[6068] kernel32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[6132] KERNEL32.dll!GetBinaryTypeW + 70 75D969E4 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1664] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [70460790] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [736124CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [735F562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [735F56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73612546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [736085AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73604D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73605105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [736051DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73606707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73608301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73608850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [736090B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7360E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73604C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2084] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [70460790] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\System32\rundll32.exe[3044] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74D3FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3044] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74D3FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3044] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74D3FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3044] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74D3FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3044] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74D3FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3584] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74D3FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3584] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74D3FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3584] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74D3FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3584] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74D3FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3584] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74D3FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{6ECFBF47-23E7-4A66-933D-A570A6812E4F}\Connection@Name isatap.{09B60D6A-97E6-48F9-9B4F-923E43478FB0} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{D5F0F7DB-BC70-4AF8-BE05-8F48715A6B10}?\Device\{6ECFBF47-23E7-4A66-933D-A570A6812E4F}?\Device\{A0DF0FF7-AC36-45E7-A0FE-2D61B16CB8E1}?\Device\{7014AFF0-BC2F-4289-9684-B96109BE39AF}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{D5F0F7DB-BC70-4AF8-BE05-8F48715A6B10}"?"{6ECFBF47-23E7-4A66-933D-A570A6812E4F}"?"{A0DF0FF7-AC36-45E7-A0FE-2D61B16CB8E1}"?"{7014AFF0-BC2F-4289-9684-B96109BE39AF}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{D5F0F7DB-BC70-4AF8-BE05-8F48715A6B10}?\Device\TCPIP6TUNNEL_{6ECFBF47-23E7-4A66-933D-A570A6812E4F}?\Device\TCPIP6TUNNEL_{A0DF0FF7-AC36-45E7-A0FE-2D61B16CB8E1}?\Device\TCPIP6TUNNEL_{7014AFF0-BC2F-4289-9684-B96109BE39AF}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243a2ba9f Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243a2ba9f@e892a45f9c83 0x5C 0x63 0xB8 0x6D ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{6ECFBF47-23E7-4A66-933D-A570A6812E4F}@InterfaceName isatap.{09B60D6A-97E6-48F9-9B4F-923E43478FB0} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{6ECFBF47-23E7-4A66-933D-A570A6812E4F}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 6007 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243a2ba9f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243a2ba9f@e892a45f9c83 0x5C 0x63 0xB8 0x6D ... ---- EOF - GMER 2.1 ----