Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spam mails from my computer


  • This topic is locked This topic is locked
9 replies to this topic

#1 butters1990

butters1990

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 16 October 2011 - 02:01 AM

My computer has been sending spam mails to some of my contacts from my Yahoo account for a few weeks. Scanned my computer with my antivirus(Avast) and also MalwareBytes, although it did not find anything. I have attached the HijackThis logfile.Attached File  hijackthis.log   6.73KB   2 downloads

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 PM

Posted 21 October 2011 - 02:05 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/423714 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 butters1990

butters1990
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 26 October 2011 - 08:08 AM

DDS Log
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Butters at 12:54:30 on 2011-10-26
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2047.1079 [GMT 5.5:30]
.
AV: avast! Internet Security *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Internet Security *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: avast! Internet Security *Enabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\UnsignedThemesSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.in/
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SimpleAdblock Class: {ffcb3198-32f3-4e8b-9539-4324694ed664} - c:\program files\common files\simple adblock\SimpleAdblock.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{22FFCFD9-325A-4787-9F47-77ED0ACD6CCE} : NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{22FFCFD9-325A-4787-9F47-77ED0ACD6CCE} : DhcpNameServer = 192.168.1.1 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\butters\appdata\roaming\mozilla\firefox\profiles\86nput92.default\
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2011-8-18 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2011-8-18 192728]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2011-8-18 101976]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-8-18 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-8-18 301528]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-2-10 172032]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-8-18 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-8-18 53592]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-8-18 42184]
R2 avast! Firewall;avast! Firewall;c:\program files\avast software\avast\afwServ.exe [2011-8-18 121000]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-9-7 21992]
R2 UnsignedThemes;Unsigned Themes;c:\windows\UnsignedThemesSvc.exe [2009-7-13 21096]
R2 uxpatch;uxpatch;c:\windows\system32\drivers\uxpatch.sys [2009-7-13 25448]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atipmdag.sys [2010-2-10 5315584]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-2-10 152064]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\drivers\L1C62x86.sys [2011-8-18 58368]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2011-8-18 30392]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-8-18 1150880]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-19 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-19 136176]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-25 22216]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-8-19 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-8-19 52224]
S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2011-9-7 16640]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-25 366152]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-10-26 06:44:27 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{807561ab-ff7a-4986-8500-f0cb77f0b482}\offreg.dll
2011-10-25 06:44:31 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-25 06:44:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-24 12:41:35 2616320 ----a-w- c:\windows\explorer.exe
2011-10-24 12:35:04 2616320 ----a-w- c:\windows\explorer_backup.exe
2011-10-24 12:35:04 -------- d-----w- c:\programdata\Start Orb Manager
2011-10-24 12:08:50 249856 ----a-w- c:\windows\system32\uxtheme.dll.backup
2011-10-24 12:08:47 2755072 ----a-w- c:\windows\system32\themeui.dll.backup
2011-10-24 12:08:45 37376 ----a-w- c:\windows\system32\themeservice.dll.backup
2011-10-24 12:06:16 1489920 ----a-w- c:\windows\system32\ExplorerFrame.dll
2011-10-22 10:14:59 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{807561ab-ff7a-4986-8500-f0cb77f0b482}\mpengine.dll
2011-10-17 17:34:55 -------- d-----w- c:\program files\common files\Simple Adblock
2011-10-16 06:45:03 388096 ----a-r- c:\users\butters\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-10-16 06:45:03 -------- d-----w- c:\program files\Trend Micro
2011-10-16 03:59:05 -------- d-----w- c:\users\butters\appdata\roaming\Malwarebytes
2011-10-16 03:59:00 -------- d-----w- c:\programdata\Malwarebytes
2011-10-12 12:37:45 2334720 ----a-w- c:\windows\system32\win32k.sys
2011-10-12 12:36:06 75776 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 12:36:06 465408 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 12:36:02 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-12 12:36:02 233472 ----a-w- c:\windows\system32\oleacc.dll
2011-10-03 09:15:07 -------- d-----w- c:\windows\system32\appmgmt
2011-09-28 17:09:56 -------- d-----w- C:\TDPriv
2011-09-28 17:09:56 -------- d-----w- c:\program files\common files\Mercury Interactive
2011-09-28 17:09:51 -------- d-----w- C:\TDComDir
2011-09-28 17:09:28 -------- d-----w- c:\program files\Mercury Interactive
2011-09-27 15:27:08 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2011-09-27 15:25:59 -------- d-----w- c:\program files\Microsoft Analysis Services
2011-09-27 15:08:55 -------- d-----w- c:\users\butters\.netbeans
2011-09-27 15:08:54 -------- d-----w- c:\users\butters\.netbeans-registration
2011-09-27 15:08:48 -------- d-----w- c:\program files\Apache Software Foundation
2011-09-27 15:08:06 -------- d-----w- c:\program files\glassfish-3.0.1
2011-09-27 15:04:51 -------- d-----w- c:\program files\NetBeans 6.9.1
2011-09-27 15:03:37 -------- d-----w- c:\program files\Sun
2011-09-27 14:57:05 -------- d-----w- c:\users\butters\.nbi
.
==================== Find3M ====================
.
2011-10-12 13:07:54 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-07 15:18:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-01 02:35:59 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-08-19 15:21:10 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-08-19 12:36:06 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-08-18 16:32:26 0 ----a-w- c:\windows\ativpsrm.bin
.
============= FINISH: 12:55:58.10 ===============


GMER Log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-26 13:10:43
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD5000AAKX-001CA0 rev.15.01H15
Running: 6uxoxlet.exe; Driver: C:\Users\Butters\AppData\Local\Temp\uftiyfow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8932E9CA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8EA35A68]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x89330EAC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x89330F04]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8933101A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x89330E02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x89330F54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x89330E56]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x89330FC8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8932E9EE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8EA35B18]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8932E7B8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8932EA12]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x89331412]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8932F4AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x89330EDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x89330F2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x89331044]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x89330E2E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x89330F94]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x89330E84]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x89330FF2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8EA35BB0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8932F370]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8932EA36]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8932EA5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8932E812]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8932E94E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8932E92A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8932E972]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8932EA7E]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8EA4A8DE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 82A4C349 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A85D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82A8CD80 4 Bytes JMP C99C56B7
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82A8CDA8 4 Bytes [68, 5A, A3, 8E]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82A8CE5C 8 Bytes [AC, 0E, 33, 89, 04, 0F, 33, ...] {LODSB ; PUSH CS; XOR ECX, [ECX-0x76ccf0fc]}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82A8CE68 4 Bytes [1A, 10, 33, 89]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82A8CE84 4 Bytes [02, 0E, 33, 89]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C19BE8 5 Bytes JMP 8EA4629E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 82C321B8 5 Bytes JMP 8EA47D50 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82C472FF 4 Bytes CALL 8932FE3B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82C610D1 4 Bytes CALL 8932FE51 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82CEAF10 7 Bytes JMP 8EA4A8E2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
? System32\Drivers\spcp.sys The system cannot find the path specified. !
.text C:\Windows\system32\DRIVERS\atipmdag.sys section is writeable [0x9061B000, 0x2E7C78, 0xE8000020]
.text USBPORT.SYS!DllUnload 8EBABDB9 5 Bytes JMP 85C891D8
.text ay2vx46n.SYS 9042F000 12 Bytes [44, 58, E2, 82, EE, 56, E2, ...]
.text ay2vx46n.SYS 9042F00D 9 Bytes [37, E2, 82, 48, 5B, E2, 82, ...] {AAA ; LOOP 0xffffffffffffff85; DEC EAX; POP EBX; LOOP 0xffffffffffffff89; ADD [EAX], AL}
.text ay2vx46n.SYS 9042F017 170 Bytes [00, DE, B7, B3, 88, E6, B5, ...]
.text ay2vx46n.SYS 9042F0C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ay2vx46n.SYS 9042F0CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
.text ...
? C:\Users\Butters\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
.text user32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes [E9, 22, 53, 9C, 8A] {JMP 0xffffffff8a9c5327}
.text user32.dll!UnhookWinEvent 7584B750 5 Bytes [E9, 17, 49, 9C, 8A] {JMP 0xffffffff8a9c491c}
.text user32.dll!SetWindowsHookExW 7584E30C 5 Bytes [E9, D3, 1D, 9C, 8A] {JMP 0xffffffff8a9c1dd8}
.text user32.dll!SetWinEventHook 758524DC 5 Bytes [E9, 4F, DB, 9B, 8A] {JMP 0xffffffff8a9bdb54}
.text user32.dll!SetWindowsHookExA 75876D0C 5 Bytes [E9, 97, 93, 99, 8A] {JMP 0xffffffff8a99939c}

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\wininit.exe[492] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0003006C
.text C:\Windows\system32\wininit.exe[492] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00030030
.text C:\Windows\system32\wininit.exe[492] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00100120
.text C:\Windows\system32\wininit.exe[492] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0010006C
.text C:\Windows\system32\wininit.exe[492] USER32.dll!SetWindowsHookExW 7584E30C 3 Bytes JMP 001000E4
.text C:\Windows\system32\wininit.exe[492] USER32.dll!SetWindowsHookExW + 4 7584E310 1 Byte [8A]
.text C:\Windows\system32\wininit.exe[492] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00100030
.text C:\Windows\system32\wininit.exe[492] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 001000A8
.text C:\Windows\system32\services.exe[548] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\system32\services.exe[548] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\system32\winlogon.exe[580] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0003006C
.text C:\Windows\system32\winlogon.exe[580] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00030030
.text C:\Windows\system32\winlogon.exe[580] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 000D0120
.text C:\Windows\system32\winlogon.exe[580] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 000D006C
.text C:\Windows\system32\winlogon.exe[580] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 000D00E4
.text C:\Windows\system32\winlogon.exe[580] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 000D0030
.text C:\Windows\system32\winlogon.exe[580] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 000D00A8
.text C:\Windows\system32\lsass.exe[600] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\system32\lsass.exe[600] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\system32\lsass.exe[600] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00160120
.text C:\Windows\system32\lsass.exe[600] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0016006C
.text C:\Windows\system32\lsass.exe[600] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 001600E4
.text C:\Windows\system32\lsass.exe[600] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00160030
.text C:\Windows\system32\lsass.exe[600] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 001600A8
.text C:\Windows\system32\lsm.exe[608] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\system32\lsm.exe[608] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\system32\svchost.exe[716] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\system32\svchost.exe[716] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\system32\svchost.exe[816] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\system32\svchost.exe[816] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\system32\atiesrxx.exe[864] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0016006C
.text C:\Windows\system32\atiesrxx.exe[864] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00160030
.text C:\Windows\system32\atiesrxx.exe[864] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 001F0120
.text C:\Windows\system32\atiesrxx.exe[864] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 001F006C
.text C:\Windows\system32\atiesrxx.exe[864] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 001F00E4
.text C:\Windows\system32\atiesrxx.exe[864] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 001F0030
.text C:\Windows\system32\atiesrxx.exe[864] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 001F00A8
.text C:\Windows\System32\svchost.exe[952] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 000A006C
.text C:\Windows\System32\svchost.exe[952] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 000A0030
.text C:\Windows\System32\svchost.exe[952] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 003F0120
.text C:\Windows\System32\svchost.exe[952] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 003F006C
.text C:\Windows\System32\svchost.exe[952] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 003F00E4
.text C:\Windows\System32\svchost.exe[952] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 003F0030
.text C:\Windows\System32\svchost.exe[952] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 003F00A8
.text C:\Windows\System32\svchost.exe[984] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\System32\svchost.exe[984] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\System32\svchost.exe[984] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00330120
.text C:\Windows\System32\svchost.exe[984] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0033006C
.text C:\Windows\System32\svchost.exe[984] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 003300E4
.text C:\Windows\System32\svchost.exe[984] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00330030
.text C:\Windows\System32\svchost.exe[984] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 003300A8
.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\system32\svchost.exe[1036] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 01130120
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0113006C
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 011300E4
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 01130030
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExA 75876D0C 3 Bytes JMP 011300A8
.text C:\Windows\system32\svchost.exe[1036] USER32.dll!SetWindowsHookExA + 4 75876D10 1 Byte [8B]
.text C:\Windows\UnsignedThemesSvc.exe[1068] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0016006C
.text C:\Windows\UnsignedThemesSvc.exe[1068] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00160030
.text C:\Windows\System32\spoolsv.exe[1120] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\System32\spoolsv.exe[1120] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\System32\spoolsv.exe[1120] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00190120
.text C:\Windows\System32\spoolsv.exe[1120] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0019006C
.text C:\Windows\System32\spoolsv.exe[1120] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 001900E4
.text C:\Windows\System32\spoolsv.exe[1120] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00190030
.text C:\Windows\System32\spoolsv.exe[1120] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 001900A8
.text C:\Windows\system32\svchost.exe[1188] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\system32\svchost.exe[1188] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\system32\svchost.exe[1188] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00310120
.text C:\Windows\system32\svchost.exe[1188] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0031006C
.text C:\Windows\system32\svchost.exe[1188] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 003100E4
.text C:\Windows\system32\svchost.exe[1188] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00310030
.text C:\Windows\system32\svchost.exe[1188] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 003100A8
.text C:\Windows\system32\atieclxx.exe[1220] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0016006C
.text C:\Windows\system32\atieclxx.exe[1220] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00160030
.text C:\Windows\system32\atieclxx.exe[1220] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 001F0120
.text C:\Windows\system32\atieclxx.exe[1220] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 001F006C
.text C:\Windows\system32\atieclxx.exe[1220] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 001F00E4
.text C:\Windows\system32\atieclxx.exe[1220] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 001F0030
.text C:\Windows\system32\atieclxx.exe[1220] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 001F00A8
.text C:\Windows\system32\svchost.exe[1388] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\system32\svchost.exe[1388] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\system32\svchost.exe[1388] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 005D0120
.text C:\Windows\system32\svchost.exe[1388] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 005D006C
.text C:\Windows\system32\svchost.exe[1388] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 005D00E4
.text C:\Windows\system32\svchost.exe[1388] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 005D0030
.text C:\Windows\system32\svchost.exe[1388] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 005D00A8
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1412] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1412] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1412] USER32.dll!SetWindowLongA 75848BA3 5 Bytes JMP 6743E349 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1412] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00100120
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1412] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0010006C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1412] USER32.dll!SetWindowsHookExW 7584E30C 3 Bytes JMP 001000E4
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1412] USER32.dll!SetWindowsHookExW + 4 7584E310 1 Byte [8A]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1412] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00100030
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1412] USER32.dll!SetWindowLongW 75854449 5 Bytes JMP 6743E2DB C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1412] USER32.dll!GetWindowInfo 75854B5E 5 Bytes JMP 671F89A7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1412] USER32.dll!TrackPopupMenu 75862228 5 Bytes JMP 671F8F65 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1412] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 001000A8
.text C:\Windows\system32\taskhost.exe[1428] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0005006C
.text C:\Windows\system32\taskhost.exe[1428] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00050030
.text C:\Windows\system32\taskhost.exe[1428] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 000E0120
.text C:\Windows\system32\taskhost.exe[1428] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 000E006C
.text C:\Windows\system32\taskhost.exe[1428] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 000E00E4
.text C:\Windows\system32\taskhost.exe[1428] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 000E0030
.text C:\Windows\system32\taskhost.exe[1428] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 000E00A8
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1456] kernel32.dll!SetUnhandledExceptionFilter 75A8F4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Windows\system32\svchost.exe[1568] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\system32\svchost.exe[1568] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\system32\svchost.exe[1568] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 002E0120
.text C:\Windows\system32\svchost.exe[1568] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 002E006C
.text C:\Windows\system32\svchost.exe[1568] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 002E00E4
.text C:\Windows\system32\svchost.exe[1568] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 002E0030
.text C:\Windows\system32\svchost.exe[1568] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 002E00A8
.text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\system32\Dwm.exe[1748] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\system32\Dwm.exe[1748] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00080120
.text C:\Windows\system32\Dwm.exe[1748] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0008006C
.text C:\Windows\system32\Dwm.exe[1748] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 000800E4
.text C:\Windows\system32\Dwm.exe[1748] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00080030
.text C:\Windows\system32\Dwm.exe[1748] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 000800A8
.text C:\Windows\Explorer.EXE[1772] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 000A006C
.text C:\Windows\Explorer.EXE[1772] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 000A0030
.text C:\Windows\Explorer.EXE[1772] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00150120
.text C:\Windows\Explorer.EXE[1772] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0015006C
.text C:\Windows\Explorer.EXE[1772] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 001500E4
.text C:\Windows\Explorer.EXE[1772] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00150030
.text C:\Windows\Explorer.EXE[1772] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 001500A8
.text C:\Windows\System32\svchost.exe[1792] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\System32\svchost.exe[1792] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Program Files\Internet Download Manager\IDMan.exe[1976] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0016006C
.text C:\Program Files\Internet Download Manager\IDMan.exe[1976] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00160030
.text C:\Program Files\Internet Download Manager\IDMan.exe[1976] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 001F0120
.text C:\Program Files\Internet Download Manager\IDMan.exe[1976] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 001F006C
.text C:\Program Files\Internet Download Manager\IDMan.exe[1976] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 001F00E4
.text C:\Program Files\Internet Download Manager\IDMan.exe[1976] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 001F0030
.text C:\Program Files\Internet Download Manager\IDMan.exe[1976] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 001F00A8
.text C:\Program Files\RocketDock\RocketDock.exe[2000] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0016006C
.text C:\Program Files\RocketDock\RocketDock.exe[2000] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00160030
.text C:\Program Files\RocketDock\RocketDock.exe[2000] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 002F0120
.text C:\Program Files\RocketDock\RocketDock.exe[2000] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 002F006C
.text C:\Program Files\RocketDock\RocketDock.exe[2000] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 002F00E4
.text C:\Program Files\RocketDock\RocketDock.exe[2000] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 002F0030
.text C:\Program Files\RocketDock\RocketDock.exe[2000] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 002F00A8
.text C:\Windows\system32\svchost.exe[2108] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\system32\svchost.exe[2108] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\system32\svchost.exe[2108] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 006D0120
.text C:\Windows\system32\svchost.exe[2108] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 006D006C
.text C:\Windows\system32\svchost.exe[2108] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 006D00E4
.text C:\Windows\system32\svchost.exe[2108] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 006D0030
.text C:\Windows\system32\svchost.exe[2108] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 006D00A8
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2196] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 000E006C
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2196] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 000E0030
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2196] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 002B0120
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2196] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 002B006C
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2196] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 002B00E4
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2196] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 002B0030
.text C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2196] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 002B00A8
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00100120
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0010006C
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] USER32.dll!SetWindowsHookExW 7584E30C 3 Bytes JMP 001000E4
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] USER32.dll!SetWindowsHookExW + 4 7584E310 1 Byte [8A]
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00100030
.text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[2432] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 001000A8
.text C:\Windows\system32\svchost.exe[2468] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\system32\svchost.exe[2468] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2508] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0005006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2508] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00050030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2508] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 000F0120
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2508] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 000F006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2508] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 000F00E4
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2508] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 000F0030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2508] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 000F00A8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2796] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0005006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2796] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00050030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2796] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00130120
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2796] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0013006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2796] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 001300E4
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2796] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00130030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2796] USER32.dll!SetWindowsHookExA 75876D0C 3 Bytes JMP 001300A8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2796] USER32.dll!SetWindowsHookExA + 4 75876D10 1 Byte [8A]
.text C:\Windows\system32\SearchIndexer.exe[3012] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\system32\SearchIndexer.exe[3012] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\system32\SearchIndexer.exe[3012] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00100120
.text C:\Windows\system32\SearchIndexer.exe[3012] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0010006C
.text C:\Windows\system32\SearchIndexer.exe[3012] USER32.dll!SetWindowsHookExW 7584E30C 3 Bytes JMP 001000E4
.text C:\Windows\system32\SearchIndexer.exe[3012] USER32.dll!SetWindowsHookExW + 4 7584E310 1 Byte [8A]
.text C:\Windows\system32\SearchIndexer.exe[3012] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00100030
.text C:\Windows\system32\SearchIndexer.exe[3012] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 001000A8
.text C:\Windows\System32\svchost.exe[3276] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\System32\svchost.exe[3276] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\System32\svchost.exe[3276] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00180120
.text C:\Windows\System32\svchost.exe[3276] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0018006C
.text C:\Windows\System32\svchost.exe[3276] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 001800E4
.text C:\Windows\System32\svchost.exe[3276] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00180030
.text C:\Windows\System32\svchost.exe[3276] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 001800A8
.text C:\Users\Butters\Desktop\6uxoxlet.exe[3312] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0016006C
.text C:\Users\Butters\Desktop\6uxoxlet.exe[3312] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00160030
.text C:\Users\Butters\Desktop\6uxoxlet.exe[3312] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00210120
.text C:\Users\Butters\Desktop\6uxoxlet.exe[3312] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0021006C
.text C:\Users\Butters\Desktop\6uxoxlet.exe[3312] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 002100E4
.text C:\Users\Butters\Desktop\6uxoxlet.exe[3312] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00210030
.text C:\Users\Butters\Desktop\6uxoxlet.exe[3312] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 002100A8
.text C:\Windows\system32\vssvc.exe[3420] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\system32\vssvc.exe[3420] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\system32\vssvc.exe[3420] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00100120
.text C:\Windows\system32\vssvc.exe[3420] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0010006C
.text C:\Windows\system32\vssvc.exe[3420] USER32.dll!SetWindowsHookExW 7584E30C 3 Bytes JMP 001000E4
.text C:\Windows\system32\vssvc.exe[3420] USER32.dll!SetWindowsHookExW + 4 7584E310 1 Byte [8A]
.text C:\Windows\system32\vssvc.exe[3420] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00100030
.text C:\Windows\system32\vssvc.exe[3420] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 001000A8
.text C:\Program Files\Internet Download Manager\IEMonitor.exe[3544] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0016006C
.text C:\Program Files\Internet Download Manager\IEMonitor.exe[3544] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00160030
.text C:\Program Files\Internet Download Manager\IEMonitor.exe[3544] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 001F0120
.text C:\Program Files\Internet Download Manager\IEMonitor.exe[3544] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 001F006C
.text C:\Program Files\Internet Download Manager\IEMonitor.exe[3544] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 001F00E4
.text C:\Program Files\Internet Download Manager\IEMonitor.exe[3544] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 001F0030
.text C:\Program Files\Internet Download Manager\IEMonitor.exe[3544] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 001F00A8
.text C:\Program Files\Mozilla Firefox\firefox.exe[3932] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3932] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Program Files\Mozilla Firefox\firefox.exe[3932] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 000F0120
.text C:\Program Files\Mozilla Firefox\firefox.exe[3932] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 000F006C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3932] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 000F00E4
.text C:\Program Files\Mozilla Firefox\firefox.exe[3932] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 000F0030
.text C:\Program Files\Mozilla Firefox\firefox.exe[3932] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 000F00A8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3956] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3956] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3956] USER32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 00090120
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3956] USER32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 0009006C
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3956] USER32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 000900E4
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3956] USER32.dll!SetWinEventHook 758524DC 5 Bytes JMP 00090030
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3956] USER32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 000900A8
.text C:\Windows\System32\svchost.exe[4012] ntdll.dll!LdrUnloadDll 773FC8DE 5 Bytes JMP 0006006C
.text C:\Windows\System32\svchost.exe[4012] ntdll.dll!LdrLoadDll 774022B8 5 Bytes JMP 00060030
.text C:\Windows\System32\svchost.exe[4012] user32.dll!UnhookWindowsHookEx 7584ADF9 5 Bytes JMP 001E0120
.text C:\Windows\System32\svchost.exe[4012] user32.dll!UnhookWinEvent 7584B750 5 Bytes JMP 001E006C
.text C:\Windows\System32\svchost.exe[4012] user32.dll!SetWindowsHookExW 7584E30C 5 Bytes JMP 001E00E4
.text C:\Windows\System32\svchost.exe[4012] user32.dll!SetWinEventHook 758524DC 5 Bytes JMP 001E0030
.text C:\Windows\System32\svchost.exe[4012] user32.dll!SetWindowsHookExA 75876D0C 5 Bytes JMP 001E00A8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84A7D1F8
Device \FileSystem\fastfat \FatCdrom 84C701F8
Device \Driver\volmgr \Device\VolMgrControl 84A791F8
Device \Driver\usbohci \Device\USBPDO-0 85C881F8
Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\usbohci \Device\USBPDO-1 85C881F8
Device \Driver\usbehci \Device\USBPDO-2 85C8C1F8
Device \Driver\sptd \Device\2676854870 spcp.sys
Device \Driver\usbohci \Device\USBPDO-3 85C881F8
Device \Driver\usbohci \Device\USBPDO-4 85C881F8

AttachedDevice \Driver\tdx \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)

Device \Driver\NetBT \Device\NetBT_Tcpip_{22FFCFD9-325A-4787-9F47-77ED0ACD6CCE} 85BC01F8
Device \Driver\usbehci \Device\USBPDO-5 85C8C1F8
Device \Driver\usbohci \Device\USBPDO-6 85C881F8
Device \Driver\volmgr \Device\HarddiskVolume1 84A791F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 84A791F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 85B3E1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84A7B1F8
Device \Driver\atapi \Device\Ide\IdePort0 84A7B1F8
Device \Driver\atapi \Device\Ide\IdePort1 84A7B1F8
Device \Driver\atapi \Device\Ide\IdePort2 84A7B1F8
Device \Driver\atapi \Device\Ide\IdePort3 84A7B1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 84A7B1F8
Device \Driver\volmgr \Device\HarddiskVolume3 84A791F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom1 85B3E1F8
Device \Driver\volmgr \Device\HarddiskVolume4 84A791F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBt_Wins_Export 85BC01F8
Device \Driver\PCI_PNP0869 \Device\0000005a spcp.sys

AttachedDevice \Driver\tdx \Device\Udp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)

Device \Driver\usbohci \Device\USBFDO-0 85C881F8
Device \Driver\usbohci \Device\USBFDO-1 85C881F8
Device \Driver\usbehci \Device\USBFDO-2 85C8C1F8
Device \Driver\usbohci \Device\USBFDO-3 85C881F8
Device \Driver\usbohci \Device\USBFDO-4 85C881F8
Device \Driver\usbehci \Device\USBFDO-5 85C8C1F8
Device \Driver\usbohci \Device\USBFDO-6 85C881F8
Device \Driver\ay2vx46n \Device\Scsi\ay2vx46n1 85C861F8
Device \Driver\ay2vx46n \Device\Scsi\ay2vx46n1Port4Path0Target0Lun0 85C861F8
Device \FileSystem\fastfat \Fat 84C701F8

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7E 0xA4 0xC4 0x19 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x2E 0xBC 0x8A ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFF 0x4C 0x14 0x8C ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7E 0xA4 0xC4 0x19 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x2E 0xBC 0x8A ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFF 0x4C 0x14 0x8C ...
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@F:\Games\PC \xbb NEED FOR SPEED HOT PURSUIT 2010(sandroxxx)\FreeArc-0.51-win32(sandroxxx).exe 1

---- Files - GMER 1.0.15 ----

File C:\## aswSnx private storage 0 bytes
File C:\## aswSnx private storage\sfzone 0 bytes
File C:\## aswSnx private storage\sfzone\attrib 0 bytes
File C:\## aswSnx private storage\sfzone\image 0 bytes
File C:\## aswSnx private storage\sfzone\image\Program Files 0 bytes
File C:\## aswSnx private storage\sfzone\image\Program Files\AVAST Software 0 bytes
File C:\## aswSnx private storage\sfzone\image\Program Files\AVAST Software\Avast 0 bytes
File C:\## aswSnx private storage\sfzone\image\Program Files\AVAST Software\Avast\sfzone 0 bytes
File C:\## aswSnx private storage\sfzone\image\Program Files\AVAST Software\Avast\sfzone\Dictionaries 0 bytes
File C:\## aswSnx private storage\sfzone\image\Program Files\AVAST Software\Avast\sfzone\Dictionaries\en-US-1-2.bdic 548874 bytes
File C:\## aswSnx private storage\sfzone\image\Program Files\AVAST Software\Avast\sfzone\extensions 0 bytes
File C:\## aswSnx private storage\sfzone\image\Program Files\AVAST Software\Avast\sfzone\productid 32 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile 0 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\chrome_shutdown_ms.txt 4 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default 0 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Archived History 53248 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Bookmarks 505 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Bookmarks.bak 505 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache 0 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache\data_0 45056 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache\data_1 270336 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache\data_2 1056768 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache\data_3 4202496 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache\f_000001 20568 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache\f_000002 57254 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache\f_000003 18994 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache\f_000004 42964 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache\f_000005 62486 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache\f_000006 27018 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache\f_000007 103346 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache\f_000008 548874 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache\f_000009 105914 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cache\index 524656 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Cookies 8192 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Current Session 7126 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Current Tabs 6129 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Favicons 10240 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\History 90112 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\History Index 2011-08 36864 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\History Index 2011-09 36864 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\JumpListIcons 0 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\JumpListIcons\3E85.tmp 150798 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\JumpListIcons\3E96.tmp 150798 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\JumpListIconsOld 0 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\JumpListIconsOld\2B71.tmp 150798 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\JumpListIconsOld\2B81.tmp 150798 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Last Session 5954 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Last Tabs 4957 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Local Storage 0 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Plugin Data 0 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Plugin Data\Google Gears 0 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Preferences 5542 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Top Sites 20480 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\User StyleSheets 0 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\User StyleSheets\Custom.css 0 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Visited Links 131072 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Default\Web Data 61440 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\First Run 0 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Local State 2026 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Safe Browsing Bloom 1689464 bytes
File C:\## aswSnx private storage\sfzone\image\sfzone_profile\Safe Browsing Bloom Filter 2 781418 bytes
File C:\## aswSnx private storage\sfzone\image\Users 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\Local 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\Local\Temp 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\LocalLow 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\LocalLow\Microsoft 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\LocalLow\Microsoft\CryptnetUrlCache 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\48C226A0FE7D97DE1C716B47235CB639_339FE4A15083BA9D58F96C1443F0D4C4 1083 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\48C226A0FE7D97DE1C716B47235CB639_339FE4A15083BA9D58F96C1443F0D4C4 400 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\Roaming 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\Roaming\Microsoft 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\Roaming\Microsoft\Windows 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\Roaming\Microsoft\Windows\Recent 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d8b393b9387fc13c.customDestinations-ms 10638 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\Roaming\Mozilla 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\Roaming\Mozilla\Firefox 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\Roaming\Mozilla\Firefox\Profiles 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\Roaming\Mozilla\Firefox\Profiles\86nput92.default 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\AppData\Roaming\Mozilla\Firefox\Profiles\86nput92.default\places.sqlite 10485760 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\Desktop 0 bytes
File C:\## aswSnx private storage\sfzone\image\Users\Butters\Desktop\Chromium.lnk 2280 bytes
File C:\## aswSnx private storage\sfzone\image\Windows 0 bytes
File C:\## aswSnx private storage\sfzone\image\Windows\Prefetch 0 bytes
File C:\## aswSnx private storage\sfzone\image\Windows\Prefetch\AUDIODG.EXE-D0D776AC.pf 22236 bytes
File C:\## aswSnx private storage\sfzone\image\Windows\Prefetch\CTFMON.EXE-AF4187A6.pf 160450 bytes
File C:\## aswSnx private storage\sfzone\image\Windows\Prefetch\SAFEZONEBROWSER.EXE-74FF4DA2.pf 38656 bytes
File C:\## aswSnx private storage\sfzone\snx_fs.dat 13244 bytes
File C:\## aswSnx private storage\snx_rhive 262144 bytes
File C:\## aswSnx private storage\snx_rhive.LOG1 25600 bytes
File C:\## aswSnx private storage\snx_rhive.LOG2 0 bytes
File C:\## aswSnx private storage\snx_rhive{ce795803-cc02-11e0-afea-6c626d73011f}.TM.blf 65536 bytes
File C:\## aswSnx private storage\snx_rhive{ce795803-cc02-11e0-afea-6c626d73011f}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
File C:\## aswSnx private storage\snx_rhive{ce795803-cc02-11e0-afea-6c626d73011f}.TMContainer00000000000000000002.regtrans-ms 524288 bytes

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  DDS.txt   13.31KB   0 downloads
  • Attached File  ark.txt   110.18KB   0 downloads


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:33 AM

Posted 26 October 2011 - 11:45 AM

Hi,

Have you changed your Yahoo email account password to strong one afterwards? If not please do so and monitor situation for a few days.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 butters1990

butters1990
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 27 October 2011 - 02:09 AM

Thanks for the reply.
As for the Yahoo password, I did change it about 2 days back to a stronger one. But the password before that was changed only a month back from a password I had kept for about a year. So I don't know how my account got hacked. Anyway, I'll monitor the situation and report it to you guys.

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:33 AM

Posted 27 October 2011 - 05:13 AM

Ok, we'll see how it goes.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:33 AM

Posted 09 November 2011 - 03:09 PM

Hi,

What's the status here?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 butters1990

butters1990
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:03 AM

Posted 12 November 2011 - 01:17 AM

Thanks for your assistance.
So the spam mails seem to have stopped now. Although, I would still like to know, how even after I had changed my password, was my account hacked?

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:33 AM

Posted 12 November 2011 - 06:06 AM

Hi,

Wish I could answer your question but unfortunately I don't have 100% certain one. Logs don't show malware signs.

Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too. That lowers system's infection risk.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:33 AM

Posted 18 November 2011 - 09:38 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users