GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-30 20:46:21 Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST916082 rev.3.CD 149.05GB Running: gmer.exe; Driver: C:\Users\Katelynn\AppData\Local\Temp\fxldypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8E026610] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8E60E5FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8E0270E6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8E032F18] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8E032F64] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8E0330FE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8E032E86] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8E60E992] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8E032ECE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8E0275E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8E0330B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8E027E9C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8E026676] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0x8E02B596] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8E60E6C2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8E60CC12] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8E0266DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8E02B98C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8E02892C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8E032F42] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8E032F86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8E033122] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8E032EAC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0x8E02AE78] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8E033036] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8E032EF6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0x8E02B26E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8E0330DC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8E60E822] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8E0287F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0x8E02834E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8E026742] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8E0267A8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8E027D16] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8E0262F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8E0264CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8E02645C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8E028066] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8E0281C8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8E026556] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8E60E8EA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8E027CF6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x8E60CC42] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8E02680E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8E60E76E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8E027800] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8E627E00] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetTimerEx + 340 824C5964 4 Bytes [10, 66, 02, 8E] .text ntkrnlpa.exe!KeSetTimerEx + 364 824C5988 4 Bytes [FA, E5, 60, 8E] .text ntkrnlpa.exe!KeSetTimerEx + 3C4 824C59E8 4 Bytes [E6, 70, 02, 8E] .text ntkrnlpa.exe!KeSetTimerEx + 404 824C5A28 8 Bytes [18, 2F, 03, 8E, 64, 2F, 03, ...] {SBB [EDI], CH; ADD ECX, [ESI-0x71fcd09c]} .text ntkrnlpa.exe!KeSetTimerEx + 410 824C5A34 4 Bytes [FE, 30, 03, 8E] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 825ECD5E 5 Bytes JMP 8E624C9A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82629666 4 Bytes CALL 8E028FEF \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82638FC9 4 Bytes CALL 8E029005 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 82655872 5 Bytes JMP 8E6267B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 826A1776 7 Bytes JMP 8E627E04 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text win32k.sys!EngCreateRectRgn + 51BE 94F04121 5 Bytes JMP 8E02C628 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPaint + 2098 94F17417 5 Bytes JMP 8E02BAD8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreatePalette + 3DF2 94F22D87 5 Bytes JMP 8E02C6CE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + B50 94F2ADFC 5 Bytes JMP 8E02B9C2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + F35 94F2B1E1 5 Bytes JMP 8E02D1B2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 1EC5 94F2C171 5 Bytes JMP 8E02C88C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCombineRgn + 3A1 94F2CD4F 5 Bytes JMP 8E02C7C4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCombineRgn + 3161 94F2FB0F 5 Bytes JMP 8E02BF24 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngSetRectRgn + 192F 94F327DB 5 Bytes JMP 8E02BD54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngTransparentBlt + 65CF 94F3C989 5 Bytes JMP 8E02C4DC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngTransparentBlt + 8742 94F3EAFC 5 Bytes JMP 8E02D56C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngTransparentBlt + A398 94F40752 5 Bytes JMP 8E02C7E2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngTransparentBlt + B931 94F41CEB 5 Bytes JMP 8E02C2F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + C760 94F5C173 5 Bytes JMP 8E02C22C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnmapFontFileFD + C833 94F5C246 5 Bytes JMP 8E02C508 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGradientFill + 3FBB 94F7E250 5 Bytes JMP 8E02D060 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGradientFill + 7DEF 94F82084 5 Bytes JMP 8E02BDF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMulDiv + 9253 94F8BA92 5 Bytes JMP 8E02C6EC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngNineGrid + 442A 94F945A4 5 Bytes JMP 8E02BBF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngNineGrid + 9061 94F991DB 5 Bytes JMP 8E02D33C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngNineGrid + 92BD 94F99437 5 Bytes JMP 8E02D3FA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLpkInstalled + 17 94F9D4C0 5 Bytes JMP 8E02D162 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStretchBlt + 3838 94FAD788 5 Bytes JMP 8E02D614 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStrokePath + 4D52 94FB5F06 5 Bytes JMP 8E02D116 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCopyBits + 17BC 94FBFA3E 5 Bytes JMP 8E02D284 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!STROBJ_vEnumStart + 478A 94FC64CD 5 Bytes JMP 8E02BCDC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSemaphore + 40E 94FE2D0A 5 Bytes JMP 8E02C008 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_bEnum + CC9 94FECBE8 5 Bytes JMP 8E02BEBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 26D9 94FF0720 5 Bytes JMP 8E02D4BE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 45CE 94FF2615 5 Bytes JMP 8E02C70A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 30D9 9500A971 5 Bytes JMP 8E02C150 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 6CAF 9500E547 5 Bytes JMP 8E02C0AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ? C:\Users\Katelynn\AppData\Local\Temp\mbr.sys The system cannot find the file specified. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[356] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\system32\Dwm.exe[368] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\Explorer.EXE[600] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\system32\csrss.exe[664] KERNEL32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\system32\wininit.exe[708] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text ... .text C:\Windows\system32\wuauclt.exe[1120] ntdll.dll!LdrLoadDll 773079B3 5 Bytes JMP 000701F8 .text C:\Windows\system32\wuauclt.exe[1120] ntdll.dll!LdrUnloadDll 7731E5AC 5 Bytes JMP 000703FC .text C:\Windows\system32\wuauclt.exe[1120] KERNEL32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\system32\wuauclt.exe[1120] USER32.dll!SetWindowsHookExW 75D57B69 5 Bytes JMP 000C0804 .text C:\Windows\system32\wuauclt.exe[1120] USER32.dll!SetWinEventHook 75D5915C 5 Bytes JMP 000C01F8 .text C:\Windows\system32\wuauclt.exe[1120] USER32.dll!UnhookWinEvent 75D5B702 5 Bytes JMP 000C03FC .text C:\Windows\system32\wuauclt.exe[1120] USER32.dll!SetWindowsHookExA 75D7BB0E 5 Bytes JMP 000C0600 .text C:\Windows\system32\wuauclt.exe[1120] USER32.dll!UnhookWindowsHookEx 75D808BE 5 Bytes JMP 000C0A08 .text C:\Windows\system32\wuauclt.exe[1120] ADVAPI32.dll!CreateServiceW 75CC38FF 5 Bytes JMP 000D03FC .text C:\Windows\system32\wuauclt.exe[1120] ADVAPI32.dll!DeleteService 75CC3BEE 5 Bytes JMP 000D0600 .text C:\Windows\system32\wuauclt.exe[1120] ADVAPI32.dll!SetServiceObjectSecurity 75D066A9 5 Bytes JMP 000D1014 .text C:\Windows\system32\wuauclt.exe[1120] ADVAPI32.dll!ChangeServiceConfigA 75D067A9 5 Bytes JMP 000D0804 .text C:\Windows\system32\wuauclt.exe[1120] ADVAPI32.dll!ChangeServiceConfigW 75D06951 5 Bytes JMP 000D0A08 .text C:\Windows\system32\wuauclt.exe[1120] ADVAPI32.dll!ChangeServiceConfig2A 75D06A69 5 Bytes JMP 000D0C0C .text C:\Windows\system32\wuauclt.exe[1120] ADVAPI32.dll!ChangeServiceConfig2W 75D06BB1 5 Bytes JMP 000D0E10 .text C:\Windows\system32\wuauclt.exe[1120] ADVAPI32.dll!CreateServiceA 75D06C71 5 Bytes JMP 000D01F8 .text C:\Windows\system32\svchost.exe[1128] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\system32\svchost.exe[1140] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\System32\svchost.exe[1208] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\System32\svchost.exe[1300] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Program Files\Microsoft Security Client\msseces.exe[1360] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text ... .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] ntdll.dll!LdrLoadDll 773079B3 5 Bytes JMP 001601F8 .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] ntdll.dll!LdrUnloadDll 7731E5AC 5 Bytes JMP 001603FC .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] KERNEL32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] ADVAPI32.dll!CreateServiceW 75CC38FF 5 Bytes JMP 001703FC .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] ADVAPI32.dll!DeleteService 75CC3BEE 5 Bytes JMP 00170600 .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] ADVAPI32.dll!SetServiceObjectSecurity 75D066A9 5 Bytes JMP 00171014 .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] ADVAPI32.dll!ChangeServiceConfigA 75D067A9 5 Bytes JMP 00170804 .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] ADVAPI32.dll!ChangeServiceConfigW 75D06951 5 Bytes JMP 00170A08 .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] ADVAPI32.dll!ChangeServiceConfig2A 75D06A69 5 Bytes JMP 00170C0C .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] ADVAPI32.dll!ChangeServiceConfig2W 75D06BB1 5 Bytes JMP 00170E10 .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] ADVAPI32.dll!CreateServiceA 75D06C71 5 Bytes JMP 001701F8 .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] USER32.dll!SetWindowsHookExW 75D57B69 5 Bytes JMP 00180804 .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] USER32.dll!SetWinEventHook 75D5915C 5 Bytes JMP 001801F8 .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] USER32.dll!UnhookWinEvent 75D5B702 5 Bytes JMP 001803FC .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] USER32.dll!SetWindowsHookExA 75D7BB0E 5 Bytes JMP 00180600 .text C:\Users\Katelynn\AppData\Local\Temp\Rar$EXa0.411\gmer.exe[2128] USER32.dll!UnhookWindowsHookEx 75D808BE 5 Bytes JMP 00180A08 .text C:\Program Files\Bonjour\mDNSResponder.exe[2400] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe[2424] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[2540] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\system32\lxcrcoms.exe[2640] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\system32\svchost.exe[2784] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text ... .text C:\Windows\System32\svchost.exe[3728] ntdll.dll!LdrLoadDll 773079B3 5 Bytes JMP 000601F8 .text C:\Windows\System32\svchost.exe[3728] ntdll.dll!LdrUnloadDll 7731E5AC 5 Bytes JMP 000603FC .text C:\Windows\System32\svchost.exe[3728] KERNEL32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\System32\svchost.exe[3728] ADVAPI32.dll!CreateServiceW 75CC38FF 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[3728] ADVAPI32.dll!DeleteService 75CC3BEE 5 Bytes JMP 00070600 .text C:\Windows\System32\svchost.exe[3728] ADVAPI32.dll!SetServiceObjectSecurity 75D066A9 5 Bytes JMP 00071014 .text C:\Windows\System32\svchost.exe[3728] ADVAPI32.dll!ChangeServiceConfigA 75D067A9 5 Bytes JMP 00070804 .text C:\Windows\System32\svchost.exe[3728] ADVAPI32.dll!ChangeServiceConfigW 75D06951 5 Bytes JMP 00070A08 .text C:\Windows\System32\svchost.exe[3728] ADVAPI32.dll!ChangeServiceConfig2A 75D06A69 5 Bytes JMP 00070C0C .text C:\Windows\System32\svchost.exe[3728] ADVAPI32.dll!ChangeServiceConfig2W 75D06BB1 5 Bytes JMP 00070E10 .text C:\Windows\System32\svchost.exe[3728] ADVAPI32.dll!CreateServiceA 75D06C71 5 Bytes JMP 000701F8 .text C:\Windows\System32\svchost.exe[3728] USER32.dll!SetWindowsHookExW 75D57B69 5 Bytes JMP 00080804 .text C:\Windows\System32\svchost.exe[3728] USER32.dll!SetWinEventHook 75D5915C 5 Bytes JMP 000801F8 .text C:\Windows\System32\svchost.exe[3728] USER32.dll!UnhookWinEvent 75D5B702 5 Bytes JMP 000803FC .text C:\Windows\System32\svchost.exe[3728] USER32.dll!SetWindowsHookExA 75D7BB0E 5 Bytes JMP 00080600 .text C:\Windows\System32\svchost.exe[3728] USER32.dll!UnhookWindowsHookEx 75D808BE 5 Bytes JMP 00080A08 .text C:\Windows\system32\wbem\unsecapp.exe[3844] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3868] kernel32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\system32\taskeng.exe[5236] ntdll.dll!LdrLoadDll 773079B3 5 Bytes JMP 000601F8 .text C:\Windows\system32\taskeng.exe[5236] ntdll.dll!LdrUnloadDll 7731E5AC 5 Bytes JMP 000603FC .text C:\Windows\system32\taskeng.exe[5236] KERNEL32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\system32\taskeng.exe[5236] ADVAPI32.dll!CreateServiceW 75CC38FF 5 Bytes JMP 000703FC .text C:\Windows\system32\taskeng.exe[5236] ADVAPI32.dll!DeleteService 75CC3BEE 5 Bytes JMP 00070600 .text C:\Windows\system32\taskeng.exe[5236] ADVAPI32.dll!SetServiceObjectSecurity 75D066A9 5 Bytes JMP 00071014 .text C:\Windows\system32\taskeng.exe[5236] ADVAPI32.dll!ChangeServiceConfigA 75D067A9 5 Bytes JMP 00070804 .text C:\Windows\system32\taskeng.exe[5236] ADVAPI32.dll!ChangeServiceConfigW 75D06951 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskeng.exe[5236] ADVAPI32.dll!ChangeServiceConfig2A 75D06A69 5 Bytes JMP 00070C0C .text C:\Windows\system32\taskeng.exe[5236] ADVAPI32.dll!ChangeServiceConfig2W 75D06BB1 5 Bytes JMP 00070E10 .text C:\Windows\system32\taskeng.exe[5236] ADVAPI32.dll!CreateServiceA 75D06C71 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskeng.exe[5236] USER32.dll!SetWindowsHookExW 75D57B69 5 Bytes JMP 00080804 .text C:\Windows\system32\taskeng.exe[5236] USER32.dll!SetWinEventHook 75D5915C 5 Bytes JMP 000801F8 .text C:\Windows\system32\taskeng.exe[5236] USER32.dll!UnhookWinEvent 75D5B702 5 Bytes JMP 000803FC .text C:\Windows\system32\taskeng.exe[5236] USER32.dll!SetWindowsHookExA 75D7BB0E 5 Bytes JMP 00080600 .text C:\Windows\system32\taskeng.exe[5236] USER32.dll!UnhookWindowsHookEx 75D808BE 5 Bytes JMP 00080A08 .text C:\Windows\system32\taskeng.exe[5516] ntdll.dll!LdrLoadDll 773079B3 5 Bytes JMP 000D01F8 .text C:\Windows\system32\taskeng.exe[5516] ntdll.dll!LdrUnloadDll 7731E5AC 5 Bytes JMP 000D03FC .text C:\Windows\system32\taskeng.exe[5516] KERNEL32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Windows\system32\taskeng.exe[5516] ADVAPI32.dll!CreateServiceW 75CC38FF 5 Bytes JMP 000E03FC .text C:\Windows\system32\taskeng.exe[5516] ADVAPI32.dll!DeleteService 75CC3BEE 5 Bytes JMP 000E0600 .text C:\Windows\system32\taskeng.exe[5516] ADVAPI32.dll!SetServiceObjectSecurity 75D066A9 5 Bytes JMP 000E1014 .text C:\Windows\system32\taskeng.exe[5516] ADVAPI32.dll!ChangeServiceConfigA 75D067A9 5 Bytes JMP 000E0804 .text C:\Windows\system32\taskeng.exe[5516] ADVAPI32.dll!ChangeServiceConfigW 75D06951 5 Bytes JMP 000E0A08 .text C:\Windows\system32\taskeng.exe[5516] ADVAPI32.dll!ChangeServiceConfig2A 75D06A69 5 Bytes JMP 000E0C0C .text C:\Windows\system32\taskeng.exe[5516] ADVAPI32.dll!ChangeServiceConfig2W 75D06BB1 5 Bytes JMP 000E0E10 .text C:\Windows\system32\taskeng.exe[5516] ADVAPI32.dll!CreateServiceA 75D06C71 5 Bytes JMP 000E01F8 .text C:\Windows\system32\taskeng.exe[5516] USER32.dll!SetWindowsHookExW 75D57B69 5 Bytes JMP 000F0804 .text C:\Windows\system32\taskeng.exe[5516] USER32.dll!SetWinEventHook 75D5915C 5 Bytes JMP 000F01F8 .text C:\Windows\system32\taskeng.exe[5516] USER32.dll!UnhookWinEvent 75D5B702 5 Bytes JMP 000F03FC .text C:\Windows\system32\taskeng.exe[5516] USER32.dll!SetWindowsHookExA 75D7BB0E 5 Bytes JMP 000F0600 .text C:\Windows\system32\taskeng.exe[5516] USER32.dll!UnhookWindowsHookEx 75D808BE 5 Bytes JMP 000F0A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] ntdll.dll!LdrLoadDll 773079B3 5 Bytes JMP 60E3EEB0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] ntdll.dll!LdrUnloadDll 7731E5AC 5 Bytes JMP 005303FC .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] KERNEL32.dll!HeapSetInformation + 26 76147008 7 Bytes JMP 60E44CE9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] KERNEL32.dll!LockResource + C 7616813B 7 Bytes JMP 61449778 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] KERNEL32.dll!VirtualAllocEx + 54 7616BA7A 7 Bytes JMP 6144979B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] KERNEL32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] USER32.dll!SetWindowsHookExW 75D57B69 5 Bytes JMP 00540804 .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] USER32.dll!SetWinEventHook 75D5915C 5 Bytes JMP 005401F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] USER32.dll!UnhookWinEvent 75D5B702 5 Bytes JMP 005403FC .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] USER32.dll!SetWindowsHookExA 75D7BB0E 5 Bytes JMP 00540600 .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] USER32.dll!UnhookWindowsHookEx 75D808BE 5 Bytes JMP 00540A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] GDI32.dll!StretchDIBits + 179 75B875BB 7 Bytes JMP 614496F9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] ADVAPI32.dll!CreateServiceW 75CC38FF 5 Bytes JMP 005503FC .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] ADVAPI32.dll!DeleteService 75CC3BEE 5 Bytes JMP 00550600 .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] ADVAPI32.dll!SetServiceObjectSecurity 75D066A9 5 Bytes JMP 00551014 .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] ADVAPI32.dll!ChangeServiceConfigA 75D067A9 5 Bytes JMP 00550804 .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] ADVAPI32.dll!ChangeServiceConfigW 75D06951 5 Bytes JMP 00550A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] ADVAPI32.dll!ChangeServiceConfig2A 75D06A69 5 Bytes JMP 00550C0C .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] ADVAPI32.dll!ChangeServiceConfig2W 75D06BB1 5 Bytes JMP 00550E10 .text C:\Program Files\Mozilla Firefox\firefox.exe[5572] ADVAPI32.dll!CreateServiceA 75D06C71 5 Bytes JMP 005501F8 .text C:\Program Files\WinRAR\WinRAR.exe[5820] ntdll.dll!LdrLoadDll 773079B3 5 Bytes JMP 000601F8 .text C:\Program Files\WinRAR\WinRAR.exe[5820] ntdll.dll!LdrUnloadDll 7731E5AC 5 Bytes JMP 000603FC .text C:\Program Files\WinRAR\WinRAR.exe[5820] KERNEL32.dll!GetBinaryTypeW + 70 76171CE8 1 Byte [62] .text C:\Program Files\WinRAR\WinRAR.exe[5820] ADVAPI32.dll!CreateServiceW 75CC38FF 5 Bytes JMP 000703FC .text C:\Program Files\WinRAR\WinRAR.exe[5820] ADVAPI32.dll!DeleteService 75CC3BEE 5 Bytes JMP 00070600 .text C:\Program Files\WinRAR\WinRAR.exe[5820] ADVAPI32.dll!SetServiceObjectSecurity 75D066A9 5 Bytes JMP 00071014 .text C:\Program Files\WinRAR\WinRAR.exe[5820] ADVAPI32.dll!ChangeServiceConfigA 75D067A9 5 Bytes JMP 00070804 .text C:\Program Files\WinRAR\WinRAR.exe[5820] ADVAPI32.dll!ChangeServiceConfigW 75D06951 5 Bytes JMP 00070A08 .text C:\Program Files\WinRAR\WinRAR.exe[5820] ADVAPI32.dll!ChangeServiceConfig2A 75D06A69 5 Bytes JMP 00070C0C .text C:\Program Files\WinRAR\WinRAR.exe[5820] ADVAPI32.dll!ChangeServiceConfig2W 75D06BB1 5 Bytes JMP 00070E10 .text C:\Program Files\WinRAR\WinRAR.exe[5820] ADVAPI32.dll!CreateServiceA 75D06C71 5 Bytes JMP 000701F8 .text C:\Program Files\WinRAR\WinRAR.exe[5820] USER32.dll!SetWindowsHookExW 75D57B69 5 Bytes JMP 00080804 .text C:\Program Files\WinRAR\WinRAR.exe[5820] USER32.dll!SetWinEventHook 75D5915C 5 Bytes JMP 000801F8 .text C:\Program Files\WinRAR\WinRAR.exe[5820] USER32.dll!UnhookWinEvent 75D5B702 5 Bytes JMP 000803FC .text C:\Program Files\WinRAR\WinRAR.exe[5820] USER32.dll!SetWindowsHookExA 75D7BB0E 5 Bytes JMP 00080600 .text C:\Program Files\WinRAR\WinRAR.exe[5820] USER32.dll!UnhookWindowsHookEx 75D808BE 5 Bytes JMP 00080A08 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\services.exe[752] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00170002 IAT C:\Windows\system32\services.exe[752] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00170000 IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1904] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [71E90790] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2084] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [71E90790] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\cdfs \Cdfs B0DBD05C ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 8442BA90 ---- EOF - GMER 2.1 ----