GMER 1.0.15.15641 -
http://www.gmer.net
Rootkit scan 2012-08-09 09:34:38
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD64 rev.01.0
Running: gmyhger.exe; Driver: C:\Users\Harish\AppData\Local\Temp\uxdirpoc.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xE461B536]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xB4FA17BA]
SSDT 893F0960 ZwAlpcConnectPort
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xE461BF52]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xE4626D7A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xE4626DC6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xE4626F48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xE4626CE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xE4626E0A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xE4626D30]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xE461C146]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xE4626F02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xE461C8CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xE461B584]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xB4FA189E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xE461B1EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xE461B5D2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xE46202A8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xE461D292]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xE4626DA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xE4626DE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xE4626F6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xE4626D0E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xE4626E8C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xE4626D58]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xE4626F26]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xB4FA1A1E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xE461D15E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xE461CD08]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xE461B620]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xE461B66E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xE461C74A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xE461B276]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xE461B426]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xE461B3CC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xE461CA2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xE461CB88]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xE461B496]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xE461C468]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xE461C5CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xE461B6BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xE461BF96]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0xE461C2CE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB4FB9744]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!KeSetEvent + 10D 826E97D0 4 Bytes [36, B5, 61, E4]
.text ntkrnlpa.exe!KeSetEvent + 131 826E97F4 4 Bytes [BA, 17, FA, B4]
.text ntkrnlpa.exe!KeSetEvent + 13D 826E9800 4 Bytes [60, 09, 3F, 89]
.text ntkrnlpa.exe!KeSetEvent + 191 826E9854 4 Bytes [52, BF, 61, E4]
.text ntkrnlpa.exe!KeSetEvent + 1D1 826E9894 8 Bytes [7A, 6D, 62, E4, C6, 6D, 62, ...]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8281462F 5 Bytes JMP B4FB661C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 8286D543 5 Bytes JMP B4FB80FE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82876E68 4 Bytes CALL E461D959 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 8287AADC 4 Bytes CALL E461D96F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 828CEDF6 7 Bytes JMP B4FB9748 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
---- User code sections - GMER 1.0.15 ----
? C:\Windows\system32\services.exe[756] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: mswsock.dllunknown module: MSWSOCK.dll
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ntdll.dll!LdrLoadDll 77879378 5 Bytes JMP 001501F8
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ntdll.dll!LdrUnloadDll 7788B680 5 Bytes JMP 001503FC
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] kernel32.dll!GetBinaryTypeW + 70 76342467 1 Byte [62]
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!CreateServiceW 76869EB4 5 Bytes JMP 002603FC
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!DeleteService 7686A07E 5 Bytes JMP 00260600
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!SetServiceObjectSecurity 768A6CD9 5 Bytes JMP 00261014
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfigA 768A6DD9 5 Bytes JMP 00260804
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfigW 768A6F81 5 Bytes JMP 00260A08
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfig2A 768A7099 5 Bytes JMP 00260C0C
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!ChangeServiceConfig2W 768A71E1 5 Bytes JMP 00260E10
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] ADVAPI32.dll!CreateServiceA 768A72A1 5 Bytes JMP 002601F8
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!SetWindowsHookExA 76526322 5 Bytes JMP 00280600
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!SetWindowsHookExW 765287AD 5 Bytes JMP 00280804
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!UnhookWindowsHookEx 765298DB 5 Bytes JMP 00280A08
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!SetWinEventHook 76529F3A 5 Bytes JMP 002801F8
.text C:\Users\Harish\Desktop\gmyhger.exe[3804] USER32.dll!UnhookWinEvent 7652C06F 5 Bytes JMP 002803FC
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3896] kernel32.dll!GetBinaryTypeW + 70 76342467 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[5472] kernel32.dll!SetUnhandledExceptionFilter 7631A8C5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[5472] kernel32.dll!GetBinaryTypeW + 70 76342467 1 Byte [62]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[576] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [6A4EF3FB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] 51EC8B55
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] 8B565351
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] FF560875
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] 7151A415
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 85D88B00
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] C2840FDB
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 57000000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 0068406A
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] FF000010
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 006A5073
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 506415FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] F88B0071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] 85FC7D89
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 9E840FFF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 8B000000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] A4F3544B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 1443B70F
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] 0653B70F
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] 1818448D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] 8B0CC083
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] 08758B08
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] 03FC7D8B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 8BF903F1
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] C083FC48
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] A4F34A28
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] [758BE975] C:\Windows\system32\CRYPT32.dll (Crypto API32/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] 9C3D8BFC
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] 2B007151
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 458D0875
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 056A50F8
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] 75FF016A
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] 85D7FFFC
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] EB2574C0
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] 04488B1D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 56F84D29
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 8B08508D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] FC450300
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] 52F8C183
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 5051E9D1
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNumberOfSetBitsUlongPtr] 519815FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 7D830071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] DD7500F8
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] 50F8458D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 016A016A
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] FFFC75FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 74C085D7
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] 0C488D20
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] C085018B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] F18B1774
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 03FC4D8B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 15FF50C1
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] [0071506C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] 8B14C683
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 75C08506
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] FC458BEB
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] C95B5E5F
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] 560004C2
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] 8210BF57
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 8B570071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] 6815FFF1
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 6A007150
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] 3C83580F
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] 71822885
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 09740000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] 8548C88B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] EBEF75C9
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 85348907
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] [00718228] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 6015FF57
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 5F007150
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 5756C35E
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 718210BF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] F18B5700
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] 506815FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] 0F6A0071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 85343958
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] [00718228] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] C88B0974
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] 75C98548
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8308EBF0
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] 82288524
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 57000071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] 506015FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] 5E5F0071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 800068C3
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] 006A0000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 5C15FF51
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 50007150
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] 519415FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 55C30071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] 5351EC8B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] 35FF5756
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] [00718268] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 519015FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] 8D590071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] E8400044
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserThread] 000031BC
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] 75FFFC8B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] FC7D8908
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 826835FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] 60680071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] 57007168
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 518C15FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] DB330071
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] 3910C483
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] 6E7D085D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] FFF63357
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] 71505815
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 85F88B00
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 8D3774FF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] 6A500845
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] FF575602
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExitUserThread] 71518815
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] 7CC08500
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] FF556A25
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] 15FFFC75
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] [00715184] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] C9335959
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 08896657
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] FFFE1FE8
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] 85D88BFF
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] 8B0774DB
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] F72B0875
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] FF57F303
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] 71505415
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 74F68500
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] FC4D8B53
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] 718100BA
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] 85D6FF00
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] 684575C0
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] 00008000
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] 15FF5350
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] [0071505C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] 5D3936EB
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] BB31740C
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] [00718210] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 6815FF53
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] BE007150
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] [00718264] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] C085068B
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 4D8B0774
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] FFD78B08
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] 83C68BD0
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] 283D04EE
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] 75007182
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] 15FF53E7
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgBreakPoint] [00715060] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation)
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 5FF0658D
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] C2C95B5E
IAT C:\Windows\system32\services.exe[756] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] 8B550008
IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[3896] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [664AF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[5472] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [664AF6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\usbhub \Device\000000a9 hcmon.sys
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys
Device \Driver\usbehci \Device\USBFDO-2 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-4 hcmon.sys
Device \Driver\usbuhci \Device\USBFDO-5 hcmon.sys
Device \Driver\usbehci \Device\USBFDO-6 hcmon.sys
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001a6b2dad67 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016411f4768
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b2dad67
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016411f4768 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6b2dad67 (not active ControlSet)
---- Files - GMER 1.0.15 ----
File C:\avast! sandbox 0 bytes
File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006 0 bytes
File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006\r1 0 bytes
File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006\r1\gmer.exe_{6a4acee4-e191-11e1-9366-fdd449c4886c} 0 bytes
File C:\avast! sandbox\S-1-5-21-3274650611-3779995644-625994878-1006\r1\gmer.exe_{6a4acef5-e191-11e1-9366-fdd449c4886c} 0 bytes
File C:\avast! sandbox\snx_rhive 262144 bytes
File C:\avast! sandbox\snx_rhive.LOG1 5120 bytes
File C:\avast! sandbox\snx_rhive.LOG2 0 bytes
File C:\avast! sandbox\snx_rhive{6a4acee6-e191-11e1-9366-fdd449c4886c}.TM.blf 65536 bytes
File C:\avast! sandbox\snx_rhive{6a4acee6-e191-11e1-9366-fdd449c4886c}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
File C:\avast! sandbox\snx_rhive{6a4acee6-e191-11e1-9366-fdd449c4886c}.TMContainer00000000000000000002.regtrans-ms 524288 bytes
---- EOF - GMER 1.0.15 ----