Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My GMER, DDS logs


  • This topic is locked This topic is locked
2 replies to this topic

#1 Hrvoje

Hrvoje

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 19 October 2012 - 04:09 PM

ComboFix tells that my system is infected and that intensive scan is necessary i wait 1-2 hours but nothing happens and i restart computer. When i go to C:\ComboFix folder its redirects me to My Computer :/ Avast and TDSS killer shows no threats.

Am i infected?


dds.txt


DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 6.0.2900.5512
Run by User at 18:09:14 on 2012-10-19
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.221 [GMT 2:00]
.
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Datalode\Torchlight\encore_reg.exe
C:\Users\All Users\Application Data\DatacardService\DCSHost.exe
C:\Users\User\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://eu.ask.com/?l=dis&o=APN10374&gct=hp
mWinlogon: SFCDisable = dword:-99
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "c:\users\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [20090604] c:\program files\common files\datalode\torchlight\encore_reg.exe /r "c:\program files\common files\datalode\torchlight\encore_reg.rpd"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoResolveTrack = dword:1
uPolicies-Explorer: NoSMMyPictures = dword:1
uPolicies-Explorer: NoSMConfigurePrograms = dword:1
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: HideRunAsVerb = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoSMHelp = dword:1
mPolicies-Explorer: ForceClassicControlPanel = dword:1
mPolicies-Explorer: NoResolveTrack = dword:1
mPolicies-Explorer: NoSMMyPictures = dword:1
mPolicies-Explorer: NoSMConfigurePrograms = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{D1668157-C695-4D15-AB5E-9242D88A6003} : DHCPNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 iastor89;iastor89;c:\windows\system32\drivers\iastor89.sys [2009-8-15 330264]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-7-13 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-7-13 355632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-7-13 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-7-13 44808]
R2 DCSHost.exe;DCSHost.exe;c:\users\all users\application data\datacardservice\DCSHOST.exe [2012-8-1 110592]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-17 399432]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-17 676936]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2012-9-30 793048]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-17 22856]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2012-7-12 1684736]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2012-8-1 100736]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
.
=============== File Associations ===============
.
ShellExec: FOXITR~1.EXE: print="c:\progra~1\foxit\FOXITR~1.EXE"/p "%1"
ShellExec: FOXITR~1.EXE: printto="c:\progra~1\foxit\FOXITR~1.EXE"/t "%1" "%2" "%3" "%4"
.
=============== Created Last 30 ================
.
2012-10-18 17:54:01 -------- d-----w- c:\windows\system32\LogFiles
2012-10-17 17:02:06 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-17 17:02:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-17 14:33:27 -------- d-----w- c:\users\user\application data\runic games
2012-10-17 14:32:08 -------- d-----w- c:\program files\common files\Datalode
2012-10-17 14:28:01 -------- d-----w- c:\program files\Runic Games
2012-10-17 13:48:22 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-10-17 13:48:21 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-10-17 13:48:20 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-10-17 13:48:14 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2012-10-09 18:47:58 388096 ----a-r- c:\users\user\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-10-09 18:47:57 -------- d-----w- c:\program files\Trend Micro
2012-10-09 13:57:56 -------- d-----w- c:\users\all users\application data\Malwarebytes
2012-10-09 13:57:02 -------- d-----w- c:\users\user\application data\Malwarebytes
2012-10-09 13:53:38 -------- d-----w- c:\users\all users\application data\Malwarebytes-BackupByMalwarebytesPortable
2012-10-03 12:30:34 -------- d-----w- c:\program files\PowerISO
2012-10-03 09:08:49 -------- d-sha-r- C:\cmdcons
2012-10-03 09:07:42 98816 ----a-w- c:\windows\sed.exe
2012-10-03 09:07:42 256000 ----a-w- c:\windows\PEV.exe
2012-10-03 09:07:42 208896 ----a-w- c:\windows\MBR.exe
2012-09-30 13:15:58 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2012-09-30 13:15:58 37336 ----a-w- c:\windows\system32\CleanMFT32.exe
2012-09-30 13:15:58 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2012-09-30 13:15:58 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2012-09-30 13:15:57 658432 ----a-w- c:\windows\system32\MSCOMCT2.OCX
2012-09-30 13:15:52 -------- d-----w- c:\users\user\local settings\application data\APN
2012-09-30 13:15:49 -------- d-----w- c:\program files\common files\PC Tools
2012-09-30 13:15:48 -------- d-----w- c:\program files\PC Tools Registry Mechanic
2012-09-30 13:15:41 -------- d-----w- c:\users\all users\application data\Ask
2012-09-30 13:15:12 -------- d-----w- c:\users\all users\application data\YTD Video Downloader
2012-09-30 13:15:06 -------- d-----w- c:\program files\GreenTree Applications
.
==================== Find3M ====================
.
2012-08-21 09:13:15 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:12:33 41224 ----a-w- c:\windows\avastSS.scr
2012-08-17 04:41:50 113104 ----a-w- c:\windows\system32\drivers\scdemu.sys
.
============= FINISH: 18:09:49,67 ===============



attach.txt (from DDS)


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-19.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12.7.2012 3:48:15
System Uptime: 19.10.2012 13:46:10 (5 hours ago)
.
Motherboard: Acer | | Acadia
Processor: Intel® Pentium® Dual CPU T2390 @ 1.86GHz | uPGA-478 | 1862/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 49 GiB total, 37,224 GiB free.
D: is FIXED (NTFS) - 63 GiB total, 0,859 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_11C1&DEV_1040&SUBSYS_10250136&REV_1002\4&2E584385&0&0101
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_11C1&DEV_1040&SUBSYS_10250136&REV_1002\4&2E584385&0&0101
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
7-Zip 9.04 beta
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
µTorrent
avast! Free Antivirus
CCleaner
Free Audio CD Burner version 1.5.8.706
Google Chrome
HashCheck Shell Extension (x86-32)
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Intel® Graphics Media Accelerator Driver
IrfanView (remove only)
Java™ 6 Update 16
K-Lite Mega Codec Pack 5.0.5
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office PowerPoint 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word 2010
Microsoft Office Word MUI (English) 2010
Microsoft PowerPoint 2010
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 14
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Word 2010
Notepad++
Notepad2 (Notepad Replacement)
OpenOffice.org 3.1
PC Tools Registry Mechanic 11.0
PowerISO
QuickTime Alternative 1.90
Realtek High Definition Audio Driver
Skype™ 5.10
Spybot - Search & Destroy
Tele2 Mobile Partner
Torchlight
Winamp
WinRAR archiver
YTD Video Downloader 3.9.2
.
==== Event Viewer Messages From Past Week ========
.
16.10.2012 3:52:58, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
15.10.2012 22:39:01, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
.
==== End Of File ===========================


GMER log



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-19 19:06:20
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.BB2O
Running: z311964d.exe; Driver: C:\Users\User\LOCALS~1\Temp\pxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA9729708]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA97D47C8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xA972A11C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA976B401]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA9734F28]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA9734F74]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA97350F6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA976ADB5]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA9734E96]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA9734FB8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA9734EDE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xA972A310]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA97350B0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xA972AA9C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA9729756]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA976BAC7]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA976BD7D]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA972E0E4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA976B932]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA976B79D]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA97D48AC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA97293BE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA97297A4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA972E456]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA972B464]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA9734F52]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA9734F96]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA973511A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA976B111]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA9734EBC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA972DC5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA973503A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA9734F06]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA972DE8C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA97350D4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA97D4A2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA976B618]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA972B330]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA976B46A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xA972AEDA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA97E030E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA976A428]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA97297F2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA9729840]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xA972A91C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA9729448]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA97295F8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA976BBCE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA972959E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xA972ABFE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xA972AD5A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA9729668]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xA972A632]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xA972A794]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA972988E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xA972A160]

INT 0x62 ? 865D9BF8
INT 0x63 ? 8589FBF8
INT 0x63 ? 8589FBF8
INT 0x63 ? 8589FBF8
INT 0x82 ? 865D9BF8
INT 0x94 ? 8589FBF8
INT 0xA4 ? 8589FBF8
INT 0xB4 ? 86568BF8
INT 0xB4 ? 8589FBF8
INT 0xB4 ? 86568BF8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA97EC966]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C99 80504535 7 Bytes [A3, 72, A9, B0, 50, 73, A9] {MOV [0x50b0a972], EAX; JAE 0xffffffffffffffb0}
.text ntkrnlpa.exe!ZwCallbackReturn + 2F10 805047AC 12 Bytes [F2, 97, 72, A9, 40, 98, 72, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 12 Bytes [FE, AB, 72, A9, 5A, AD, 72, ...]
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64B8 4 Bytes CALL A972BAF1 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC54A 5 Bytes JMP A97E9806 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2FCE 5 Bytes JMP A97EB320 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1172 7 Bytes JMP A97EC96A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
? spyv.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload EC2B7934 5 Bytes JMP 8589F1D8
.text win32k.sys!EngFreeUserMem + 674 BF80994A 5 Bytes JMP A972FA6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFreeUserMem + 35D0 BF80C8A6 5 Bytes JMP A972F95E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSurface + 45 BF813939 5 Bytes JMP A972F918 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 11F0 BF81C762 5 Bytes JMP A972EFCA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngSetLastError + 7773 BF82409D 5 Bytes JMP A972E6E6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + 1F5D BF834E2B 5 Bytes JMP A972FBD8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + 39FF BF8368CD 5 Bytes JMP A972FDE0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + CED2 BF83FDA0 5 Bytes JMP A972F81E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateBitmap + 10746 BF843614 5 Bytes JMP A972EFB2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBlt + 37BB BF85046D 5 Bytes JMP A972F9A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBlt + 41E3 BF850E95 5 Bytes JMP A972F08C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBlt + 42A3 BF850F55 5 Bytes JMP A972E592 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 3617 BF86DE2B 5 Bytes JMP A972EC00 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetCurrentCodePage + 413A BF86E94E 5 Bytes JMP A972EDC0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGetLastError + 1606 BF88BBC7 5 Bytes JMP A972F0A4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 3FB4 BF890A38 5 Bytes JMP A972FB20 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBltROP + 607D BF89700A 5 Bytes JMP A972E5AA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + 5959 BF8B52B1 5 Bytes JMP A972E756 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + A8E8 BF8BA240 5 Bytes JMP A972EB40 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + A973 BF8BA2CB 5 Bytes JMP A972EE06 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!FONTOBJ_pxoGetXform + E62A BF8BDF82 5 Bytes JMP A972FD3E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngAlphaBlend + 1A08 BF8C3113 5 Bytes JMP A972E866 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + 51AB BF8EDB43 5 Bytes JMP A972E93E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + 542B BF8EDDC3 5 Bytes JMP A972EA6A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + 7651 BF8EFFE9 5 Bytes JMP A972E48C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + EF2E BF8F78C6 5 Bytes JMP A972EFE2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 1994 BF912A56 5 Bytes JMP A972E682 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 2568 BF91362A 5 Bytes JMP A972E812 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateClip + 4EC7 BF915F89 5 Bytes JMP A972EF20 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 1925 BF943F3B 5 Bytes JMP A972FC96 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
? C:\Users\User\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\hkcmd.exe[180] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\hkcmd.exe[180] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\Users\User\My Documents\Downloads\z311964d.exe[356] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\Users\User\My Documents\Downloads\z311964d.exe[356] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[504] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[504] kernel32.dll!SetUnhandledExceptionFilter 7C844935 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[504] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[568] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\spoolsv.exe[568] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\System32\smss.exe[844] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[900] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\csrss.exe[900] KERNEL32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1008] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\Explorer.EXE[1008] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[1332] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\winlogon.exe[1332] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\system32\igfxtray.exe[1352] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\igfxtray.exe[1352] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[1376] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\services.exe[1376] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[1388] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\lsass.exe[1388] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\RTHDCPL.EXE[1392] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\RTHDCPL.EXE[1392] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[1508] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\igfxpers.exe[1508] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[1560] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\avastUI.exe[1560] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1628] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1668] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[1668] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1748] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1748] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\system32\igfxsrvc.exe[1780] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\igfxsrvc.exe[1780] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1844] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\ctfmon.exe[1844] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\Program Files\Common Files\Datalode\Torchlight\encore_reg.exe[1864] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\Program Files\Common Files\Datalode\Torchlight\encore_reg.exe[1864] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1880] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[1880] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, B4, 55, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, B7, 55, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, B4, 55, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, B5, 55, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B912BCE
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, B6, 55, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, B5, 55, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, B6, 55, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B912C3F
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, B4, 55, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B912D6D
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, B5, 55, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, B6, 55, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, B7, 55, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2060] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\Users\All Users\Application Data\DatacardService\DCSHost.exe[2068] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\Users\All Users\Application Data\DatacardService\DCSHost.exe[2068] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\Users\User\LOCALS~1\Temp\RtkBtMnt.exe[2296] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\Users\User\LOCALS~1\Temp\RtkBtMnt.exe[2296] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2312] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[2312] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2476] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[2476] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[2500] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe[2500] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2524] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2524] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[2560] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\system32\svchost.exe[2560] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 38, E4, 00] {SUB [EAX], BH; IN AL, 0x0}
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 3B, E4, 00] {SUB [EBX], BH; IN AL, 0x0}
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 38, E4, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 39, E4, 00] {TEST AL, 0x39; IN AL, 0x0}
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91BA52
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 3A, E4, 00] {TEST AL, 0x3a; IN AL, 0x0}
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 39, E4, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 3A, E4, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91BAC3
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 38, E4, 00] {TEST AL, 0x38; IN AL, 0x0}
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91BBF1
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 39, E4, 00] {SUB [ECX], BH; IN AL, 0x0}
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 3A, E4, 00] {SUB [EDX], BH; IN AL, 0x0}
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 3B, E4, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3048] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[3168] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\WINDOWS\System32\svchost.exe[3168] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3280] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3280] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 84, F5, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 87, F5, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 84, F5, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 85, F5, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91CB9E
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 86, F5, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 85, F5, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 86, F5, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91CC0F
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 84, F5, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91CD3D
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 85, F5, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 86, F5, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 87, F5, 00]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62]
.text C:\Users\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3760] kernel32.dll!GetBinaryTypeW + 80 7C86936C 1 Byte [62]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Ntfs \Ntfs 865D71F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\usbehci \Device\USBPDO-0 859DF500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 865691F8
Device \Driver\dmio \Device\DmControl\DmConfig 865691F8
Device \Driver\dmio \Device\DmControl\DmPnP 865691F8
Device \Driver\dmio \Device\DmControl\DmInfo 865691F8
Device \Driver\usbuhci \Device\USBPDO-1 858B61F8
Device \Driver\usbuhci \Device\USBPDO-2 858B61F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{576ADB2F-CADA-4669-A3BA-212533CC860F} 859FA1F8
Device \Driver\usbuhci \Device\USBPDO-3 858B61F8
Device \Driver\usbuhci \Device\USBPDO-4 858B61F8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\usbehci \Device\USBPDO-5 859DF500
Device \Driver\usbuhci \Device\USBPDO-6 858B61F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 865DA1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 865DA1F8
Device \Driver\Cdrom \Device\CdRom0 858AA1F8
Device \Driver\iaStor \Device\Ide\iaStor0 [F72AA360] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F7343B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7343B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7343B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [F72AA360] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 859FA1F8
Device \Driver\NetBT \Device\NetbiosSmb 859FA1F8

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\usbuhci \Device\USBFDO-0 858B61F8
Device \Driver\usbuhci \Device\USBFDO-1 858B61F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 84D301F8
Device \Driver\usbehci \Device\USBFDO-2 859DF500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 84D301F8
Device \Driver\usbuhci \Device\USBFDO-3 858B61F8
Device \Driver\usbuhci \Device\USBFDO-4 858B61F8
Device \Driver\Ftdisk \Device\FtControl 865DA1F8
Device \Driver\usbuhci \Device\USBFDO-5 858B61F8
Device \Driver\usbehci \Device\USBFDO-6 859DF500
Device \Driver\NetBT \Device\NetBT_Tcpip_{D1668157-C695-4D15-AB5E-9242D88A6003} 859FA1F8
Device \FileSystem\Cdfs \Cdfs 84D1A1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

Edited by Noviciate, 20 October 2012 - 05:21 PM.
"code" tags removed to make logs easier to read.


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:42 PM

Posted 21 October 2012 - 08:56 AM

Hello and welcome to BleepingComputer! :)



I am Elle and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are used to identify the possible threats present on your system so I will analyze the results they produce.


As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that aspect. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me (link in the signature).
Do not forget to check your topic periodically and subscribe to it so that you can receive notifications regarding my replies.



Please generate another DDS log (download it from http://download.bleepingcomputer.com/sUBs/dds.com'>here if you haven't already) and post it in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link: GMER download link.



Thank you very much for your patience.




Regards,

Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:42 PM

Posted 23 January 2013 - 02:30 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users