[A] Zeroaccess!inf

Inactive
By jeetu singh
Aug 8, 2012
Topic Status:
Not open for further replies.
  1. combo fix & norton found zeroaccess!inf.
    combofix said its in /system32 service.exe file
    I need help cleaning it.
    windows vista

    thank you
  2. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. jeetu singh

    jeetu singh Newcomer, in training Topic Starter

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-08-09 09:34:38
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD64 rev.01.0
    Running: gmyhger.exe; Driver: C:\Users\Harish\AppData\Local\Temp\uxdirpoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xE461B536]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xB4FA17BA]
    SSDT 893F0960 ZwAlpcConnectPort
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xE461BF52]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xE4626D7A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xE4626DC6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xE4626F48]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xE4626CE8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xE4626E0A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xE4626D30]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xE461C146]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xE4626F02]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xE461C8CA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xE461B584]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xB4FA189E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xE461B1EC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xE461B5D2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xE46202A8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xE461D292]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xE4626DA4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xE4626DE8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xE4626F6C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xE4626D0E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xE4626E8C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xE4626D58]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xE4626F26]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xB4FA1A1E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xE461D15E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xE461CD08]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xE461B620]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xE461B66E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xE461C74A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xE461B276]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xE461B426]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xE461B3CC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xE461CA2C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xE461CB88]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xE461B496]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xE461C468]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xE461C5CA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xE461B6BC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xE461BF96]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0xE461C2CE]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB4FB9744]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!KeSetEvent + 10D 826E97D0 4 Bytes [36, B5, 61, E4]
    .text ntkrnlpa.exe!KeSetEvent + 131 826E97F4 4 Bytes [BA, 17, FA, B4]
    .text ntkrnlpa.exe!KeSetEvent + 13D 826E9800 4 Bytes [60, 09, 3F, 89]
    .text ntkrnlpa.exe!KeSetEvent + 191 826E9854 4 Bytes [52, BF, 61, E4]
    .text ntkrnlpa.exe!KeSetEvent + 1D1 826E9894 8 Bytes [7A, 6D, 62, E4, C6, 6D, 62, ...]
    .text ...
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8281462F 5 Bytes JMP B4FB661C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject 8286D543 5 Bytes JMP B4FB80FE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82876E68 4 Bytes CALL E461D959 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 8287AADC 4 Bytes CALL E461D96F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 828CEDF6 7 Bytes JMP B4FB9748 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

    ---- User code sections - GMER 1.0.15 ----

    ? C:\Windows\system32\services.exe[756] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: mswsock.dllunknown module: MSWSOCK.dll
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] ntdll.dll!LdrLoadDll 77879378 5 Bytes JMP 001501F8
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] ntdll.dll!LdrUnloadDll 7788B680 5 Bytes JMP 001503FC
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] kernel32.dll!GetBinaryTypeW + 70 76342467 1 Byte [62]
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!CreateServiceW 76869EB4 5 Bytes JMP 002603FC
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!DeleteService 7686A07E 5 Bytes JMP 00260600
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!SetServiceObjectSecurity 768A6CD9 5 Bytes JMP 00261014
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfigA 768A6DD9 5 Bytes JMP 00260804
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfigW 768A6F81 5 Bytes JMP 00260A08
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfig2A 768A7099 5 Bytes JMP 00260C0C
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfig2W 768A71E1 5 Bytes JMP 00260E10
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!CreateServiceA 768A72A1 5 Bytes JMP 002601F8
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!SetWindowsHookExA 76526322 5 Bytes JMP 00280600
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!SetWindowsHookExW 765287AD 5 Bytes JMP 00280804
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!UnhookWindowsHookEx 765298DB 5 Bytes JMP 00280A08
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!SetWinEventHook 76529F3A 5 Bytes JMP 002801F8
    .text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!UnhookWinEvent 7652C06F 5 Bytes JMP 002803FC
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3896] kernel32.dll!GetBinaryTypeW + 70 76342467 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[5472] kernel32.dll!SetUnhandledExceptionFilter 7631A8C5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[5472] kernel32.dll!GetBinaryTypeW + 70 76342467 1 Byte [62]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[576] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [6A4EF3FB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] 51EC8B55
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] 8B565351
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] FF560875
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] 7151A415
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 85D88B00
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] C2840FDB
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 57000000
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 0068406A
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] FF000010
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 006A5073
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 506415FF
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] F88B0071
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] 85FC7D89
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 9E840FFF
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 8B000000
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] A4F3544B
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 1443B70F
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] 0653B70F
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] 1818448D
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] 8B0CC083
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] 08758B08
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] 03FC7D8B
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 8BF903F1
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] C083FC48
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] A4F34A28
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] [758BE975] C:\Windows\system32\CRYPT32.dll (Crypto API32/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] 9C3D8BFC
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] 2B007151
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 458D0875
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 056A50F8
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] 75FF016A
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] 85D7FFFC
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] EB2574C0
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] 04488B1D
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 56F84D29
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 8B08508D
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] FC450300
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] 52F8C183
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 5051E9D1
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNumberOfSetBitsUlongPtr] 519815FF
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 7D830071
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] DD7500F8
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] 50F8458D
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 016A016A
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] FFFC75FF
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 74C085D7
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] 0C488D20
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] C085018B
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] F18B1774
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 03FC4D8B
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 15FF50C1
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] [0071506C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] 8B14C683
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 75C08506
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] FC458BEB
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] C95B5E5F
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] 560004C2
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] 8210BF57
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 8B570071
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] 6815FFF1
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 6A007150
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] 3C83580F
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] 71822885
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 09740000
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] 8548C88B
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] EBEF75C9
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 85348907
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] [00718228] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 6015FF57
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 5F007150
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 5756C35E
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 718210BF
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] F18B5700
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] 506815FF
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] 0F6A0071
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 85343958
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] [00718228] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] C88B0974
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] 75C98548
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8308EBF0
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] 82288524
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 57000071
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] 506015FF
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] 5E5F0071
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 800068C3
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] 006A0000
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 5C15FF51
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 50007150
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] 519415FF
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 55C30071
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] 5351EC8B
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] 35FF5756
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] [00718268] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 519015FF
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] 8D590071
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] E8400044
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserThread] 000031BC
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] 75FFFC8B
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] FC7D8908
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 826835FF
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] 60680071
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] 57007168
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 518C15FF
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] DB330071
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] 3910C483
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] 6E7D085D
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] FFF63357
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] 71505815
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 85F88B00
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 8D3774FF
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] 6A500845
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] FF575602
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExitUserThread] 71518815
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] 7CC08500
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] FF556A25
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] 15FFFC75
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] [00715184] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] C9335959
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 08896657
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] FFFE1FE8
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] 85D88BFF
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] 8B0774DB
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] F72B0875
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] FF57F303
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] 71505415
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 74F68500
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] FC4D8B53
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] 718100BA
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] 85D6FF00
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] 684575C0
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] 00008000
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] 15FF5350
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] [0071505C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] 5D3936EB
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] BB31740C
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] [00718210] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 6815FF53
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] BE007150
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] [00718264] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] C085068B
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 4D8B0774
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] FFD78B08
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] 83C68BD0
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] 283D04EE
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] 75007182
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] 15FF53E7
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgBreakPoint] [00715060] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 5FF0658D
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] C2C95B5E
    IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] 8B550008
    IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[3896] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [664AF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
    IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[5472] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [664AF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\usbhub \Device\000000a9 hcmon.sys

    AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys
    Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys
    Device \Driver\usbehci \Device\USBFDO-2 hcmon.sys
    Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys
    Device \Driver\usbuhci \Device\USBFDO-4 hcmon.sys
    Device \Driver\usbuhci \Device\USBFDO-5 hcmon.sys
    Device \Driver\usbehci \Device\USBFDO-6 hcmon.sys

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001a6b2dad67 (not active ControlSet)
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016411f4768
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b2dad67
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6b2dad67 (not active ControlSet)

    ---- Files - GMER 1.0.15 ----

    File C:\avast! sandbox 0 bytes
    File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006 0 bytes
    File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006\r1 0 bytes
    File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006\r1\gmer.exe_{6a4acee4-e191-11e1-9366-fdd449c4886c} 0 bytes
    File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006\r1\gmer.exe_{6a4acef5-e191-11e1-9366-fdd449c4886c} 0 bytes
    File C:\avast! sandbox\snx_rhive 262144 bytes
    File C:\avast! sandbox\snx_rhive.LOG1 5120 bytes
    File C:\avast! sandbox\snx_rhive.LOG2 0 bytes
    File C:\avast! sandbox\snx_rhive{6a4acee6-e191-11e1-9366-fdd449c4886c}.TM.blf 65536 bytes
    File C:\avast! sandbox\snx_rhive{6a4acee6-e191-11e1-9366-fdd449c4886c}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
    File C:\avast! sandbox\snx_rhive{6a4acee6-e191-11e1-9366-fdd449c4886c}.TMContainer00000000000000000002.regtrans-ms 524288 bytes

    ---- EOF - GMER 1.0.15 ----

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Go on...
    No need to attach any logs.
  5. jeetu singh

    jeetu singh Newcomer, in training Topic Starter

  6. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Re-read my reply #2.
    All logs have to be pasted.
    No need to attach them since you're pasting them.
  7. jeetu singh

    jeetu singh Newcomer, in training Topic Starter

    oh ok im sorry.. so I did attached the file before.
  8. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    Go on....
  9. Broni

    Broni Malware Annihilator Posts: 46,132   +251

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.