GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-27 17:18:19 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SP0802N rev.TK100-24 74,56GB Running: ferqrbsk.exe; Driver: C:\TMP\pxtdapow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xEEC76610] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xEED2A5FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xEEC770E6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xEECBAB36] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xEEC82F18] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xEEC82F64] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xEEC830FE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xEECBA4EA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xEEC82E86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xEEC82FA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xEEC82ECE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xEEC775E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xEEC830B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xEEC77E9C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xEEC76676] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xEECBB1FC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xEECBB4B2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xEEC7B596] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xEECBB067] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xEECBAED2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xEED2A6C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xEEC7625E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xEEC766DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xEEC7B98C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xEEC7892C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xEEC82F42] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xEEC82F86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xEEC83122] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xEECBA846] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xEEC82EAC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xEEC7AE78] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xEEC83036] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xEEC82EF6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xEEC7B26E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xEEC830DC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xEED2A822] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xEECBAD4D] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xEEC787F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xEECBAB9F] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xEEC7834E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xEED37744] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xEECB9B30] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xEEC76742] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xEEC767A8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xEEC77D16] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xEEC762F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xEEC764CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xEECBB303] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xEEC7645C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xEEC78066] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xEEC781C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xEEC76556] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xEEC77B54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xEEC77CF6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0xEED28C42] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xEEC7680E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xEEC77142] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xEED43E00] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + F0 804E275C 4 Bytes JMP 80EECBA4 .text ntoskrnl.exe!_abnormal_termination + 398 804E2A04 12 Bytes [42, 67, C7, EE, A8, 67, C7, ...] .text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [66, 80, C7, EE, C8, 81, C7, ...] .text ntoskrnl.exe!_abnormal_termination + 465 804E2AD1 3 Bytes [8C, D2, EE] {MOV EDX, SS; OUT DX, AL} PAGE ntoskrnl.exe!ObInsertObject 8056513A 5 Bytes JMP EED427B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056B9E8 4 Bytes CALL EEC78FD9 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntoskrnl.exe!ZwCreateProcessEx 805823C4 7 Bytes JMP EED43E04 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059EA43 5 Bytes JMP EED40C9A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text win32k.sys!EngFreeUserMem + 674 BF809942 5 Bytes JMP EEC7D284 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFreeUserMem + 35D0 BF80C89E 5 Bytes JMP EEC7D162 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSurface + 45 BF813936 5 Bytes JMP EEC7D116 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!BRUSHOBJ_pvAllocRbrush + 322E BF81E5E3 5 Bytes JMP EEC7BBF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMulDiv + 197D BF820CF0 5 Bytes JMP EEC7C6EC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPaint + 11A6 BF82D50A 5 Bytes JMP EEC7BD54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLockSurface + C09 BF82E688 5 Bytes JMP EEC7D3FA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_bEnum + 2E84 BF83901A 5 Bytes JMP EEC7D614 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_bEnum + B8EE BF841A84 5 Bytes JMP EEC7D00A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_bEnum + E0AA BF844240 5 Bytes JMP EEC7C6CE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_bEnum + F626 BF8457BC 5 Bytes JMP EEC7BDF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 290F BF86F45E 5 Bytes JMP EEC7C7C4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 4BED BF87173C 5 Bytes JMP EEC7C22C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 4C78 BF8717C7 5 Bytes JMP EEC7C508 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 584E BF87239D 5 Bytes JMP EEC7BAD8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + AC2C BF87777B 5 Bytes JMP EEC7D1B2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnicodeToMultiByteN + 67E3 BF87E99A 5 Bytes JMP EEC7D33C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 3665 BF897CE7 5 Bytes JMP EEC7C2F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 41A2 BF898824 5 Bytes JMP EEC7C4C2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetLastError + 1606 BF8B590A 5 Bytes JMP EEC7C7E2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGradientFill + 2862 BF8B9028 5 Bytes JMP EEC7D56C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAlphaBlend + 35C2 BF8C1C5F 5 Bytes JMP EEC7BF24 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSemaphore + A595 BF8EB23A 5 Bytes JMP EEC7C70A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + 19EF BF8EFCFB 5 Bytes JMP EEC7B9C2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + 3BBE BF8F1ECA 5 Bytes JMP EEC7C008 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + 3E3E BF8F214A 5 Bytes JMP EEC7C150 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 1A40 BF914738 5 Bytes JMP EEC7BCDC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 1CEC BF9149E4 5 Bytes JMP EEC7C88C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 2614 BF91530C 5 Bytes JMP EEC7BEBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 4F95 BF917C8D 5 Bytes JMP EEC7C628 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 192A BF948056 5 Bytes JMP EEC7D4BE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\svchost.exe[112] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[112] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[192] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[192] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[268] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[268] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[396] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[396] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[480] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[480] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[584] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[652] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[652] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[728] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[728] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[740] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[740] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[768] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Analog Devices\SoundMAX\SMTray.exe[768] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[776] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[776] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[784] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[784] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\Program Files\RALINK\Common\RaUI.exe[820] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\RALINK\Common\RaUI.exe[820] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\Documents and Settings\Administrator\Moje dokumenty\ferqrbsk.exe[908] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Documents and Settings\Administrator\Moje dokumenty\ferqrbsk.exe[908] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[976] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[976] KERNEL32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1020] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1020] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1028] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1104] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1104] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1116] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1116] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1240] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1240] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1316] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1316] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1404] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1528] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1528] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1564] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1564] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1640] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1768] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1768] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1992] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1992] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 80, CC, 02] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 83, CC, 02] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 80, CC, 02] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 81, CC, 02] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 82, CC, 02] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 81, CC, 02] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 82, CC, 02] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 80, CC, 02] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 81, CC, 02] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 82, CC, 02] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 83, CC, 02] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2452] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2452] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\Program Files\Opera\17.0.1241.53_0\opera_crashreporter.exe[2608] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Opera\17.0.1241.53_0\opera_crashreporter.exe[2608] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, A8, 3B, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, AB, 3B, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, A8, 3B, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, A9, 3B, 00] {TEST AL, 0xa9; CMP EAX, [EAX]} .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B9111C2 .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, AA, 3B, 00] {TEST AL, 0xaa; CMP EAX, [EAX]} .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, A9, 3B, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, AA, 3B, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B911233 .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, A8, 3B, 00] {TEST AL, 0xa8; CMP EAX, [EAX]} .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B911361 .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, A9, 3B, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, AA, 3B, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, AB, 3B, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 28, 16, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 2B, 16, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 28, 16, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 29, 16, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC42 .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 2A, 16, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 29, 16, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 2A, 16, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ECB3 .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 28, 16, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDE1 .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 29, 16, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 2A, 16, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 2B, 16, 00] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] ntdll.dll!RtlDosSearchPath_U + 186 7C91616D 1 Byte [62] .text C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] kernel32.dll!GetBinaryTypeW + 80 7C8693DC 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\AVAST Software\Avast\avastUI.exe[776] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C90790] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\WINDOWS\system32\services.exe[1104] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1104] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1768] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C90790] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\Opera\17.0.1241.53_0\opera.exe[2376] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 02E30010 IAT C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3448] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 003E0010 IAT C:\Program Files\Opera\17.0.1241.53_0\opera.exe[3476] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002D0010 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- EOF - GMER 2.1 ----