combo fix & norton found zeroaccess!inf.
combofix said its in /system32 service.exe file
I need help cleaning it.
windows vista
thank you
combofix said its in /system32 service.exe file
I need help cleaning it.
windows vista
thank you
Inactive [A] Zeroaccess!inf
- Thread starter jeetu singh
- Start date
- Status
Broni
Posts: 56,041 +516
Welcome aboard
Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.
Please, observe following rules:
Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.
Please, observe following rules:
- Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
- If you're stuck, or you're not sure about certain step, always ask before doing anything else.
- Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
- Never run more than one scan at a time.
- Keep updating me regarding your computer behavior, good, or bad.
- The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
- If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
- I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-09 09:34:38
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD64 rev.01.0
Running: gmyhger.exe; Driver: C:\Users\Harish\AppData\Local\Temp\uxdirpoc.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xE461B536]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xB4FA17BA]
SSDT 893F0960 ZwAlpcConnectPort
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xE461BF52]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xE4626D7A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xE4626DC6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xE4626F48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xE4626CE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xE4626E0A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xE4626D30]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xE461C146]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xE4626F02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xE461C8CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xE461B584]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xB4FA189E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xE461B1EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xE461B5D2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xE46202A8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xE461D292]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xE4626DA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xE4626DE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xE4626F6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xE4626D0E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xE4626E8C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xE4626D58]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xE4626F26]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xB4FA1A1E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xE461D15E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xE461CD08]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xE461B620]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xE461B66E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xE461C74A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xE461B276]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xE461B426]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xE461B3CC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xE461CA2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xE461CB88]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xE461B496]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xE461C468]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xE461C5CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xE461B6BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xE461BF96]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0xE461C2CE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB4FB9744]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 10D 826E97D0 4 Bytes [36, B5, 61, E4]
.text ntkrnlpa.exe!KeSetEvent + 131 826E97F4 4 Bytes [BA, 17, FA, B4]
.text ntkrnlpa.exe!KeSetEvent + 13D 826E9800 4 Bytes [60, 09, 3F, 89]
.text ntkrnlpa.exe!KeSetEvent + 191 826E9854 4 Bytes [52, BF, 61, E4]
.text ntkrnlpa.exe!KeSetEvent + 1D1 826E9894 8 Bytes [7A, 6D, 62, E4, C6, 6D, 62, ...]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8281462F 5 Bytes JMP B4FB661C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 8286D543 5 Bytes JMP B4FB80FE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82876E68 4 Bytes CALL E461D959 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 8287AADC 4 Bytes CALL E461D96F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 828CEDF6 7 Bytes JMP B4FB9748 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
---- User code sections - GMER 1.0.15 ----
? C:\Windows\system32\services.exe[756] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: mswsock.dllunknown module: MSWSOCK.dll
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ntdll.dll!LdrLoadDll 77879378 5 Bytes JMP 001501F8
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ntdll.dll!LdrUnloadDll 7788B680 5 Bytes JMP 001503FC
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] kernel32.dll!GetBinaryTypeW + 70 76342467 1 Byte [62]
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!CreateServiceW 76869EB4 5 Bytes JMP 002603FC
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!DeleteService 7686A07E 5 Bytes JMP 00260600
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!SetServiceObjectSecurity 768A6CD9 5 Bytes JMP 00261014
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfigA 768A6DD9 5 Bytes JMP 00260804
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfigW 768A6F81 5 Bytes JMP 00260A08
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfig2A 768A7099 5 Bytes JMP 00260C0C
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfig2W 768A71E1 5 Bytes JMP 00260E10
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!CreateServiceA 768A72A1 5 Bytes JMP 002601F8
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!SetWindowsHookExA 76526322 5 Bytes JMP 00280600
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!SetWindowsHookExW 765287AD 5 Bytes JMP 00280804
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!UnhookWindowsHookEx 765298DB 5 Bytes JMP 00280A08
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!SetWinEventHook 76529F3A 5 Bytes JMP 002801F8
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!UnhookWinEvent 7652C06F 5 Bytes JMP 002803FC
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3896] kernel32.dll!GetBinaryTypeW + 70 76342467 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[5472] kernel32.dll!SetUnhandledExceptionFilter 7631A8C5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[5472] kernel32.dll!GetBinaryTypeW + 70 76342467 1 Byte [62]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[576] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [6A4EF3FB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] 51EC8B55
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] 8B565351
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] FF560875
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] 7151A415
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 85D88B00
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] C2840FDB
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 57000000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 0068406A
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] FF000010
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 006A5073
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 506415FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] F88B0071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] 85FC7D89
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 9E840FFF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 8B000000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] A4F3544B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 1443B70F
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] 0653B70F
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] 1818448D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] 8B0CC083
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] 08758B08
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] 03FC7D8B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 8BF903F1
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] C083FC48
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] A4F34A28
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] [758BE975] C:\Windows\system32\CRYPT32.dll (Crypto API32/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] 9C3D8BFC
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] 2B007151
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 458D0875
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 056A50F8
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] 75FF016A
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] 85D7FFFC
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] EB2574C0
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] 04488B1D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 56F84D29
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 8B08508D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] FC450300
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] 52F8C183
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 5051E9D1
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNumberOfSetBitsUlongPtr] 519815FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 7D830071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] DD7500F8
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] 50F8458D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 016A016A
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] FFFC75FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 74C085D7
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] 0C488D20
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] C085018B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] F18B1774
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 03FC4D8B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 15FF50C1
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] [0071506C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] 8B14C683
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 75C08506
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] FC458BEB
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] C95B5E5F
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] 560004C2
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] 8210BF57
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 8B570071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] 6815FFF1
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 6A007150
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] 3C83580F
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] 71822885
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 09740000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] 8548C88B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] EBEF75C9
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 85348907
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] [00718228] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 6015FF57
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 5F007150
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 5756C35E
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 718210BF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] F18B5700
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] 506815FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] 0F6A0071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 85343958
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] [00718228] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] C88B0974
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] 75C98548
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8308EBF0
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] 82288524
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 57000071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] 506015FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] 5E5F0071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 800068C3
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] 006A0000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 5C15FF51
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 50007150
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] 519415FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 55C30071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] 5351EC8B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] 35FF5756
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] [00718268] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 519015FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] 8D590071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] E8400044
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserThread] 000031BC
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] 75FFFC8B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] FC7D8908
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 826835FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] 60680071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] 57007168
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 518C15FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] DB330071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] 3910C483
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] 6E7D085D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] FFF63357
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] 71505815
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 85F88B00
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 8D3774FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] 6A500845
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] FF575602
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExitUserThread] 71518815
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] 7CC08500
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] FF556A25
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] 15FFFC75
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] [00715184] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] C9335959
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 08896657
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] FFFE1FE8
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] 85D88BFF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] 8B0774DB
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] F72B0875
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] FF57F303
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] 71505415
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 74F68500
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] FC4D8B53
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] 718100BA
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] 85D6FF00
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] 684575C0
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] 00008000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] 15FF5350
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] [0071505C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] 5D3936EB
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] BB31740C
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] [00718210] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 6815FF53
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] BE007150
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] [00718264] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] C085068B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 4D8B0774
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] FFD78B08
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] 83C68BD0
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] 283D04EE
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] 75007182
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] 15FF53E7
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgBreakPoint] [00715060] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 5FF0658D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] C2C95B5E
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] 8B550008
IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[3896] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [664AF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[5472] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [664AF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\usbhub \Device\000000a9 hcmon.sys
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys
Device \Driver\usbehci \Device\USBFDO-2 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-4 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-5 hcmon.sys
Device \Driver\usbehci \Device\USBFDO-6 hcmon.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001a6b2dad67 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016411f4768
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b2dad67
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6b2dad67 (not active ControlSet)
---- Files - GMER 1.0.15 ----
File C:\avast! sandbox 0 bytes
File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006 0 bytes
File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006\r1 0 bytes
File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006\r1\gmer.exe_{6a4acee4-e191-11e1-9366-fdd449c4886c} 0 bytes
File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006\r1\gmer.exe_{6a4acef5-e191-11e1-9366-fdd449c4886c} 0 bytes
File C:\avast! sandbox\snx_rhive 262144 bytes
File C:\avast! sandbox\snx_rhive.LOG1 5120 bytes
File C:\avast! sandbox\snx_rhive.LOG2 0 bytes
File C:\avast! sandbox\snx_rhive{6a4acee6-e191-11e1-9366-fdd449c4886c}.TM.blf 65536 bytes
File C:\avast! sandbox\snx_rhive{6a4acee6-e191-11e1-9366-fdd449c4886c}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
File C:\avast! sandbox\snx_rhive{6a4acee6-e191-11e1-9366-fdd449c4886c}.TMContainer00000000000000000002.regtrans-ms 524288 bytes
---- EOF - GMER 1.0.15 ----
Rootkit scan 2012-08-09 09:34:38
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD64 rev.01.0
Running: gmyhger.exe; Driver: C:\Users\Harish\AppData\Local\Temp\uxdirpoc.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xE461B536]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xB4FA17BA]
SSDT 893F0960 ZwAlpcConnectPort
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xE461BF52]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xE4626D7A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xE4626DC6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xE4626F48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xE4626CE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xE4626E0A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xE4626D30]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xE461C146]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xE4626F02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xE461C8CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xE461B584]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xB4FA189E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xE461B1EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xE461B5D2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xE46202A8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xE461D292]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xE4626DA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xE4626DE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xE4626F6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xE4626D0E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xE4626E8C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xE4626D58]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xE4626F26]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xB4FA1A1E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xE461D15E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xE461CD08]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xE461B620]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xE461B66E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xE461C74A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xE461B276]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xE461B426]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xE461B3CC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xE461CA2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xE461CB88]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xE461B496]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xE461C468]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xE461C5CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xE461B6BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xE461BF96]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0xE461C2CE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB4FB9744]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 10D 826E97D0 4 Bytes [36, B5, 61, E4]
.text ntkrnlpa.exe!KeSetEvent + 131 826E97F4 4 Bytes [BA, 17, FA, B4]
.text ntkrnlpa.exe!KeSetEvent + 13D 826E9800 4 Bytes [60, 09, 3F, 89]
.text ntkrnlpa.exe!KeSetEvent + 191 826E9854 4 Bytes [52, BF, 61, E4]
.text ntkrnlpa.exe!KeSetEvent + 1D1 826E9894 8 Bytes [7A, 6D, 62, E4, C6, 6D, 62, ...]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8281462F 5 Bytes JMP B4FB661C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 8286D543 5 Bytes JMP B4FB80FE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82876E68 4 Bytes CALL E461D959 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 8287AADC 4 Bytes CALL E461D96F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 828CEDF6 7 Bytes JMP B4FB9748 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
---- User code sections - GMER 1.0.15 ----
? C:\Windows\system32\services.exe[756] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: mswsock.dllunknown module: MSWSOCK.dll
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ntdll.dll!LdrLoadDll 77879378 5 Bytes JMP 001501F8
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ntdll.dll!LdrUnloadDll 7788B680 5 Bytes JMP 001503FC
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] kernel32.dll!GetBinaryTypeW + 70 76342467 1 Byte [62]
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!CreateServiceW 76869EB4 5 Bytes JMP 002603FC
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!DeleteService 7686A07E 5 Bytes JMP 00260600
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!SetServiceObjectSecurity 768A6CD9 5 Bytes JMP 00261014
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfigA 768A6DD9 5 Bytes JMP 00260804
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfigW 768A6F81 5 Bytes JMP 00260A08
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfig2A 768A7099 5 Bytes JMP 00260C0C
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfig2W 768A71E1 5 Bytes JMP 00260E10
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!CreateServiceA 768A72A1 5 Bytes JMP 002601F8
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!SetWindowsHookExA 76526322 5 Bytes JMP 00280600
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!SetWindowsHookExW 765287AD 5 Bytes JMP 00280804
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!UnhookWindowsHookEx 765298DB 5 Bytes JMP 00280A08
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!SetWinEventHook 76529F3A 5 Bytes JMP 002801F8
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!UnhookWinEvent 7652C06F 5 Bytes JMP 002803FC
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3896] kernel32.dll!GetBinaryTypeW + 70 76342467 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[5472] kernel32.dll!SetUnhandledExceptionFilter 7631A8C5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[5472] kernel32.dll!GetBinaryTypeW + 70 76342467 1 Byte [62]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[576] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [6A4EF3FB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] 51EC8B55
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] 8B565351
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] FF560875
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] 7151A415
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 85D88B00
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] C2840FDB
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 57000000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 0068406A
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] FF000010
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 006A5073
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 506415FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] F88B0071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] 85FC7D89
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 9E840FFF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 8B000000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] A4F3544B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 1443B70F
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] 0653B70F
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] 1818448D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] 8B0CC083
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] 08758B08
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] 03FC7D8B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 8BF903F1
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] C083FC48
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] A4F34A28
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] [758BE975] C:\Windows\system32\CRYPT32.dll (Crypto API32/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] 9C3D8BFC
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] 2B007151
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 458D0875
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 056A50F8
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] 75FF016A
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] 85D7FFFC
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] EB2574C0
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] 04488B1D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 56F84D29
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 8B08508D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] FC450300
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] 52F8C183
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 5051E9D1
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNumberOfSetBitsUlongPtr] 519815FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 7D830071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] DD7500F8
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] 50F8458D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 016A016A
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] FFFC75FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 74C085D7
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] 0C488D20
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] C085018B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] F18B1774
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 03FC4D8B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 15FF50C1
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] [0071506C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] 8B14C683
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 75C08506
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] FC458BEB
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] C95B5E5F
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] 560004C2
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] 8210BF57
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 8B570071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] 6815FFF1
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 6A007150
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] 3C83580F
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] 71822885
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 09740000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] 8548C88B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] EBEF75C9
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 85348907
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] [00718228] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 6015FF57
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 5F007150
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 5756C35E
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 718210BF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] F18B5700
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] 506815FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] 0F6A0071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 85343958
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] [00718228] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] C88B0974
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] 75C98548
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8308EBF0
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] 82288524
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 57000071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] 506015FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] 5E5F0071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 800068C3
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] 006A0000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 5C15FF51
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 50007150
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] 519415FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 55C30071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] 5351EC8B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] 35FF5756
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] [00718268] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 519015FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] 8D590071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] E8400044
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserThread] 000031BC
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] 75FFFC8B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] FC7D8908
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 826835FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] 60680071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] 57007168
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 518C15FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] DB330071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] 3910C483
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] 6E7D085D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] FFF63357
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] 71505815
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 85F88B00
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 8D3774FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] 6A500845
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] FF575602
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExitUserThread] 71518815
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] 7CC08500
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] FF556A25
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] 15FFFC75
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] [00715184] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] C9335959
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 08896657
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] FFFE1FE8
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] 85D88BFF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] 8B0774DB
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] F72B0875
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] FF57F303
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] 71505415
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 74F68500
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] FC4D8B53
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] 718100BA
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] 85D6FF00
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] 684575C0
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] 00008000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] 15FF5350
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] [0071505C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] 5D3936EB
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] BB31740C
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] [00718210] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 6815FF53
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] BE007150
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] [00718264] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] C085068B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 4D8B0774
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] FFD78B08
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] 83C68BD0
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] 283D04EE
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] 75007182
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] 15FF53E7
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgBreakPoint] [00715060] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 5FF0658D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] C2C95B5E
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] 8B550008
IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[3896] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [664AF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[5472] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [664AF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\usbhub \Device\000000a9 hcmon.sys
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys
Device \Driver\usbehci \Device\USBFDO-2 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-4 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-5 hcmon.sys
Device \Driver\usbehci \Device\USBFDO-6 hcmon.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001a6b2dad67 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016411f4768
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b2dad67
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6b2dad67 (not active ControlSet)
---- Files - GMER 1.0.15 ----
File C:\avast! sandbox 0 bytes
File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006 0 bytes
File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006\r1 0 bytes
File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006\r1\gmer.exe_{6a4acee4-e191-11e1-9366-fdd449c4886c} 0 bytes
File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006\r1\gmer.exe_{6a4acef5-e191-11e1-9366-fdd449c4886c} 0 bytes
File C:\avast! sandbox\snx_rhive 262144 bytes
File C:\avast! sandbox\snx_rhive.LOG1 5120 bytes
File C:\avast! sandbox\snx_rhive.LOG2 0 bytes
File C:\avast! sandbox\snx_rhive{6a4acee6-e191-11e1-9366-fdd449c4886c}.TM.blf 65536 bytes
File C:\avast! sandbox\snx_rhive{6a4acee6-e191-11e1-9366-fdd449c4886c}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
File C:\avast! sandbox\snx_rhive{6a4acee6-e191-11e1-9366-fdd449c4886c}.TMContainer00000000000000000002.regtrans-ms 524288 bytes
---- EOF - GMER 1.0.15 ----
huh
oh ok im sorry.. so I did attached the file before.
- Status
