GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-12 20:18:05 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-8 INTEL_SSDSC2CT180A3 rev.300i 167,68GB Running: m57g1hli.exe; Driver: C:\Users\Arturo\AppData\Local\Temp\uwldrpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[564] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\winlogon.exe[624] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\services.exe[652] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\lsass.exe[680] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\svchost.exe[756] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\svchost.exe[804] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\dwm.exe[900] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\dwm.exe[900] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffab976169a 4 bytes [76, B9, FA, 7F] .text C:\Windows\system32\dwm.exe[900] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffab97616a2 4 bytes [76, B9, FA, 7F] .text C:\Windows\system32\dwm.exe[900] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffab976181a 4 bytes [76, B9, FA, 7F] .text C:\Windows\system32\dwm.exe[900] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffab9761832 4 bytes [76, B9, FA, 7F] .text C:\Windows\system32\nvvsvc.exe[952] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1008] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1016] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1016] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffab976169a 4 bytes [76, B9, FA, 7F] .text C:\Windows\system32\nvvsvc.exe[1016] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffab97616a2 4 bytes [76, B9, FA, 7F] .text C:\Windows\system32\nvvsvc.exe[1016] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffab976181a 4 bytes [76, B9, FA, 7F] .text C:\Windows\system32\nvvsvc.exe[1016] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffab9761832 4 bytes [76, B9, FA, 7F] .text C:\Windows\System32\svchost.exe[280] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\svchost.exe[348] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\svchost.exe[480] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\System32\svchost.exe[768] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\svchost.exe[1172] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1424] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\svchost.exe[1460] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\svchost.exe[1716] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\wlms\wlms.exe[1808] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\svchost.exe[2212] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\Explorer.EXE[2564] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\Explorer.EXE[2564] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffab976169a 4 bytes [76, B9, FA, 7F] .text C:\Windows\Explorer.EXE[2564] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffab97616a2 4 bytes [76, B9, FA, 7F] .text C:\Windows\Explorer.EXE[2564] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffab976181a 4 bytes [76, B9, FA, 7F] .text C:\Windows\Explorer.EXE[2564] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffab9761832 4 bytes [76, B9, FA, 7F] .text C:\Windows\system32\DllHost.exe[1580] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2848] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Windows\system32\taskhostex.exe[3012] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] .text C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe[1036] C:\Windows\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffabb93978d 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [572:596] fffff960009674d0 Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [1036:3092] 00007ffaa598838c Thread C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [1036:3104] 00007ffaa55ec680 ---- Services - GMER 2.1 ---- Service C:\Windows\system32\drivers\aswFsBlk.sys (*** hidden *** ) [AUTO] aswFsBlk <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswMonFlt.sys (*** hidden *** ) [AUTO] aswMonFlt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRdr2.sys (*** hidden *** ) [SYSTEM] aswRdr <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRvrt.sys (*** hidden *** ) [BOOT] aswRvrt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSnx.sys (*** hidden *** ) [SYSTEM] aswSnx <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSP.sys (*** hidden *** ) [SYSTEM] aswSP <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswVmm.sys (*** hidden *** ) [BOOT] aswVmm <-- ROOTKIT !!! Service C:\Program Files\AVAST Software\Avast\AvastSvc.exe (*** hidden *** ) [AUTO] avast! Antivirus <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1715831232 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk@ImagePath \??\C:\Windows\system32\drivers\aswFsBlk.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk@Description Avast! Mini-filter Driver Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRdr@ImagePath \??\C:\Windows\system32\drivers\aswRdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt@DisplayName avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@BootCounter 10 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@SystemRoot \Device\HarddiskVolume1\Windows Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@TickCounter 257467 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\1383824673 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\1383824673@ Commited Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\1383824673@BootTimeout 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\1383824673@TickTimeout 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\1383824673@CreationTime 0xAD 0xC0 0x93 0xBA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\1383824673@SetupOperations DeleteFile("\??\c:\program files\avast software\avast\setup\inf\x64\aswsp.sys.1383824673")?DeleteFile("\??\c:\windows\system32\drivers\aswsp.sys.1383824673")?DeleteFile("\??\c:\program files\avast software\avast\setup\inf\x64\aswsp.sys.sum.1383824673")?DeleteFile("\??\c:\program files\avast software\avast\setup\inf\aswsp.inf.1383824673")?DeleteFile("\??\c:\program files\avast software\avast\setup\inf\aswsp.inf.sum.1383824673")?DeleteFile("\??\c:\program files\avast software\avast\setup\inf\aswsp.cat.1383824673")?DeleteFile("\??\c:\program files\avast software\avast\setup\inf\aswsp.cat.sum.1383824673")? Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\1383824673@StartBootCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\1383824673@StartTickCounter 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\1383824673@LastPackageError -1073741772 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx@ImagePath \??\C:\Windows\system32\drivers\aswSnx.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP@ImagePath \??\C:\Windows\system32\drivers\aswSP.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP\Parameters@BehavShield 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP\Parameters@ProgramFolder \??\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP\Parameters@DataFolder \??\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP\Parameters@ProgramFilesFolder \??\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\Services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswVmm@DisplayName avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\Services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\Services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus@Type 288 Reg HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus@Description Manages and implements avast! antivirus services for this computer. This includes the real-time shields, the virus chest and the scheduler. Reg HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\avast! Antivirus Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced@Hidden 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced@HideFileExt 0 ---- EOF - GMER 2.1 ----