Hey guys
My laptop suddenly got a problem where it would disconnect from the internet every 10 seconds. I'm connecting via wireless, and it would say something like 'no connections found' every 10 seconds, then it would detect the internet nad connect for 10 seconds and repeat.
I scanned with avast and it found a rootkit. I tried to quarantine, repair and remove one of the viruses but it wouldn't work (I attached the screenshots showing the errors).
Also, I ran combofix (sorry, I only just read in the sticky to not run it before hand).
Here is the DDS log:
Here is the GMER log:
My laptop suddenly got a problem where it would disconnect from the internet every 10 seconds. I'm connecting via wireless, and it would say something like 'no connections found' every 10 seconds, then it would detect the internet nad connect for 10 seconds and repeat.
I scanned with avast and it found a rootkit. I tried to quarantine, repair and remove one of the viruses but it wouldn't work (I attached the screenshots showing the errors).
Also, I ran combofix (sorry, I only just read in the sticky to not run it before hand).
Here is the DDS log:
Quote:
|
DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 9.0.8112.16476 BrowserJavaVersion: 10.11.2 Run by Winston at 5:49:57 on 2014-12-19 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.3005.2126 [GMT 11:00] . AV: avast! Antivirus *Enabled/Outdated* {2B2D1395-420B-D5C9-657E-930FE358FC3C} SP: avast! Antivirus *Enabled/Outdated* {904CF271-6431-DA47-5FCE-A87D98DFB681} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes ================ . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Program Files\Sandboxie\SbieSvc.exe C:\Program Files\AVAST Software\Avast\AvastSvc.exe C:\Windows\System32\spoolsv.exe C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\AVAST Software\Avast\AvastUI.exe C:\Windows\system32\SearchIndexer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Windows\system32\wuauclt.exe C:\Windows\Explorer.exe C:\Windows\System32\WUDFHost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe C:\Windows\system32\conhost.exe C:\Windows\system32\conhost.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation . ============== Pseudo HJT Report =============== . uStart Page = about:blank mStart Page = about:blank BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe" uRun: [Steam] "c:\program files\steam\Steam.exe" -silent uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601 mPolicies-System: ConsentPromptBehaviorAdmin = dword:5 mPolicies-System: ConsentPromptBehaviorUser = dword:3 mPolicies-System: EnableUIADesktopToggle = dword:0 TCP: NameServer = 192.168.23.1 TCP: Interfaces\{42E95756-CBA2-4E9A-BB73-330EE4470D09} : DHCPNameServer = 192.168.23.1 TCP: Interfaces\{42E95756-CBA2-4E9A-BB73-330EE4470D09}\6594E405541425C4D20584551555F434 : DHCPNameServer = 8.8.8.8 203.162.4.190 TCP: Interfaces\{42E95756-CBA2-4E9A-BB73-330EE4470D09}\84E45402C4566756C60253 : DHCPNameServer = 192.168.7.1 TCP: Interfaces\{42E95756-CBA2-4E9A-BB73-330EE4470D09}\84E45402C4566756C60263 : DHCPNameServer = 192.168.6.6 TCP: Interfaces\{42E95756-CBA2-4E9A-BB73-330EE4470D09}\E47414E4028414026463F514 : DHCPNameServer = 192.168.1.1 TCP: Interfaces\{42E95756-CBA2-4E9A-BB73-330EE4470D09}\E47414E4F58414F56443F524 : DHCPNameServer = 192.168.1.1 8.8.8.8 203.162.4.190 TCP: Interfaces\{42E95756-CBA2-4E9A-BB73-330EE4470D09}\E47414E4F58414F56463F524 : DHCPNameServer = 192.168.1.1 8.8.8.8 203.162.4.190 TCP: Interfaces\{DB27DB31-3B9B-4BB9-907B-116D3339D06C} : DHCPNameServer = 192.168.1.1 Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll SSODL: WebCheck - <orphaned> mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\39.0.2171.95\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome . ================= FIREFOX =================== . FF - ProfilePath - c:\users\winston\appdata\roaming\mozilla\firefox\profiles\jspm1w5f.default\ FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll FF - plugin: c:\program files\google\update\1.3.25.11\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_15_0_0_246.dll FF - ExtSQL: 2014-12-04 04:10; firefox-hotfix@mozilla.org; c:\users\winston\appdata\roaming\mozilla\firefox\profiles\jspm1w5f.default\extensions\firefox-hotfix@mozilla.org.xpi FF - ExtSQL: 2014-12-10 15:56; faststartff@gmail.com; c:\users\winston\appdata\roaming\mozilla\firefox\profiles\jspm1w5f.default\extensions\faststartff@gmail.com FF - ExtSQL: !HIDDEN! 2014-12-10 15:56; faststartff@gmail.com; c:\users\winston\appdata\roaming\mozilla\firefox\profiles\jspm1w5f.default\extensions\faststartff@gmail.com . ============= SERVICES / DRIVERS =============== . R1 {3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw;{3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw;c:\windows\system32\drivers\{3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw.sys [2014-12-10 43144] R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-12-19 738504] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-12-19 361032] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2014-12-19 21256] R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-12-19 58680] R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-12-19 44808] R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-4-1 1009184] R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2012-8-26 157776] R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-14 311296] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2014-12-11 315496] S2 WindowsMangerProtect;WindowsMangerProtect Service;c:\programdata\windowsmangerprotect\protectwindowsmanager.exe -service --> c:\programdata\windowsmangerprotect\ProtectWindowsManager.exe -service [?] S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888] S3 Desura Install Service;Desura Install Service;c:\program files\common files\desura\desura_service.exe [2012-12-22 131912] S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-12-14 1343400] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520] . =============== Created Last 30 ================ . 2014-12-18 17:36:02 -------- d-sh--w- C:\$RECYCLE.BIN 2014-12-18 17:09:12 -------- d-----w- c:\users\winston\appdata\local\temp 2014-12-18 16:53:38 98816 ----a-w- c:\windows\sed.exe 2014-12-18 16:53:38 256000 ----a-w- c:\windows\PEV.exe 2014-12-18 16:53:38 208896 ----a-w- c:\windows\MBR.exe 2014-12-18 16:52:21 -------- d-----w- c:\windows\system32\SPReview 2014-12-18 14:56:01 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys 2014-12-18 14:55:56 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys 2014-12-18 14:55:54 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2014-12-18 14:55:24 41224 ----a-w- c:\windows\avastSS.scr 2014-12-18 13:29:00 -------- d-----w- C:\c51a5d5eba08c576c3d6a4aa131b 2014-12-17 05:52:53 -------- d-----w- c:\users\winston\appdata\roaming\3909 2014-12-17 05:36:16 9054624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5687b376-2cc8-4325-98c6-7cc336338692}\mpengine.dll 2014-12-13 16:51:23 -------- d-----w- c:\users\winston\appdata\local\mslug3 2014-12-13 16:51:02 -------- d-----w- c:\programdata\Package Cache 2014-12-10 18:59:39 -------- d-----w- c:\windows\system32\appraiser 2014-12-10 16:20:18 1160872 ----a-w- c:\windows\system32\aitstatic.exe 2014-12-10 16:20:17 728576 ----a-w- c:\windows\system32\appraiser.dll 2014-12-10 16:20:17 610304 ----a-w- c:\windows\system32\invagent.dll 2014-12-10 16:20:17 337920 ----a-w- c:\windows\system32\generaltel.dll 2014-12-10 16:20:17 315392 ----a-w- c:\windows\system32\devinv.dll 2014-12-10 05:19:47 -------- d-----w- c:\users\winston\appdata\roaming\OpenOffice 2014-12-10 05:15:24 -------- d-----w- c:\program files\OpenOffice 4 2014-12-10 05:03:49 43144 ----a-w- c:\windows\system32\drivers\{3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw.sys 2014-12-10 04:56:33 -------- d-----w- c:\programdata\WindowsMangerProtect 2014-12-10 04:56:30 -------- d-----w- c:\program files\360 2014-12-10 04:56:22 -------- d-----w- c:\users\winston\appdata\roaming\sweet-page 2014-12-04 17:04:47 -------- d-s---w- c:\windows\system32\CompatTel 2014-12-04 12:36:35 -------- d-----w- c:\windows\AutoKMS 2014-12-04 12:34:51 -------- d-----w- c:\programdata\Microsoft Toolkit 2014-12-02 15:26:51 -------- d-----w- c:\users\winston\appdata\local\Robot Entertainment 2014-12-02 07:01:23 -------- d-----w- c:\users\winston\appdata\local\Skype 2014-12-02 07:01:01 -------- d-----r- c:\program files\Skype 2014-12-01 12:16:11 452440 ----a-w- c:\windows\system32\d3dx10_40.dll 2014-12-01 12:16:11 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll 2014-12-01 12:16:10 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll 2014-12-01 11:28:20 -------- d-----w- c:\users\winston\appdata\roaming\BANDISOFT 2014-12-01 11:27:09 -------- d-----w- c:\program files\Bandicam 2014-12-01 11:27:03 -------- d-----w- c:\program files\BandiMPEG1 . ==================== Find3M ==================== . 2014-12-09 19:17:19 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2014-12-09 19:17:19 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2014-11-24 03:04:58 229000 ------w- c:\windows\system32\MpSigStub.exe . ============= FINISH: 5:50:42.53 =============== |
Here is the GMER log:
Quote:
|
GMER 2.1.19357 - GMER - Rootkit Detector and Remover Rootkit scan 2014-12-19 06:31:26 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Hitachi_HTS545032B9A300 rev.PB3OC64G 298.09GB Running: gmer.exe; Driver: C:\Users\Winston\AppData\Local\Temp\pwlorfow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8EE394BA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8F544C22] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8EE39ED6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8EE44FA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8EE44FF4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8EE45176] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8EE44F16] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8F544FA6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8EE44F5E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8EE3A11C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8EE3A2F4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8EE45130] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8EE3A93E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8EE39508] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8F544CEA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8F5433EC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8EE39556] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8EE3E534] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8EE3B3A6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8EE44FD2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8EE45016] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8EE4519A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8EE44F3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8EE450BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8EE44F86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8EE45154] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8F544E4A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8EE3B272] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x8EE3AF86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8EE395A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8EE395F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8EE3A7BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8EE391FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8EE393AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8EE39350] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8EE3AAF8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8EE3AC54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8EE3941A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8F544EFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8EE3A636] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x8F54341C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8EE39640] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8F544D96] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8F55DE56] Code 92A48BFC ZwTraceEvent Code 92A48BFB NtTraceEvent Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!NtTraceEvent 82A7E0F4 5 Bytes JMP 92A48C00 .text ntkrnlpa.exe!ZwRollbackTransaction + 13F9 82A8E829 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB3132 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 224 82ABA904 4 Bytes [BA, 94, E3, 8E] .text ntkrnlpa.exe!RtlSidHashLookup + 24C 82ABA92C 4 Bytes [22, 4C, 54, 8F] {AND CL, [ESP+EDX*2-0x71]} .text ntkrnlpa.exe!RtlSidHashLookup + 2AC 82ABA98C 4 Bytes [D6, 9E, E3, 8E] {SALC ; SAHF ; JECXZ 0xffffff92} .text ntkrnlpa.exe!RtlSidHashLookup + 300 82ABA9E0 8 Bytes [A8, 4F, E4, 8E, F4, 4F, E4, ...] {TEST AL, 0x4f; IN AL, 0x8e; HLT ; DEC EDI; IN AL, 0x8e} .text ntkrnlpa.exe!RtlSidHashLookup + 30C 82ABA9EC 4 Bytes [76, 51, E4, 8E] {JBE 0x53; IN AL, 0x8e} .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C5545B 5 Bytes JMP 8F55ACF6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 82C6F16D 5 Bytes JMP 8F55C828 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82CB98C0 4 Bytes CALL 8EE3BA8D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 2 82CC188D 5 Bytes JMP 92A48DE0 PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82CC19AD 4 Bytes CALL 8EE3BAA3 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!NtRequestWaitReplyPort + 2 82CC32B5 5 Bytes JMP 92A48D40 PAGE ntkrnlpa.exe!NtRequestPort + 2 82CD7519 5 Bytes JMP 92A48CA0 PAGE ntkrnlpa.exe!ZwCreateProcessEx 82D27618 2 Bytes JMP 8F55DE5A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx + 3 82D2761B 4 Bytes [83, 0C, CC, CC] {OR DWORD [ESP+ECX*8], -0x34} ? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. ! ? C:\Users\Winston\AppData\Local\Temp\catchme.sys The system cannot find the file specified. ! ? C:\Users\Winston\AppData\Local\Temp\mbr.sys The system cannot find the file specified. ! .text kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[412] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\system32\wininit.exe[464] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\system32\csrss.exe[472] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\system32\services.exe[520] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1404] kernel32.dll!SetUnhandledExceptionFilter 768D3122 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1404] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1536] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\system32\conhost.exe[1648] ntdll.dll!LdrUnloadDll 77B5BD1F 5 Bytes JMP 000B03FC .text C:\Windows\system32\conhost.exe[1648] ntdll.dll!LdrLoadDll 77B5F425 5 Bytes JMP 000B01F8 .text C:\Windows\system32\conhost.exe[1648] KERNEL32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\system32\conhost.exe[1648] USER32.dll!UnhookWindowsHookEx 7605CC7B 5 Bytes JMP 000C0A08 .text C:\Windows\system32\conhost.exe[1648] USER32.dll!UnhookWinEvent 7605D924 5 Bytes JMP 000C03FC .text C:\Windows\system32\conhost.exe[1648] USER32.dll!SetWindowsHookExW 7606210A 5 Bytes JMP 000C0804 .text C:\Windows\system32\conhost.exe[1648] USER32.dll!SetWinEventHook 7606507E 5 Bytes JMP 000C01F8 .text C:\Windows\system32\conhost.exe[1648] USER32.dll!SetWindowsHookExA 76086DFA 5 Bytes JMP 000C0600 .text C:\Windows\System32\svchost.exe[1692] ntdll.dll!LdrUnloadDll 77B5BD1F 5 Bytes JMP 000E03FC .text C:\Windows\System32\svchost.exe[1692] ntdll.dll!LdrLoadDll 77B5F425 5 Bytes JMP 000E01F8 .text C:\Windows\System32\svchost.exe[1692] KERNEL32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\System32\svchost.exe[1692] USER32.dll!UnhookWindowsHookEx 7605CC7B 5 Bytes JMP 00100A08 .text C:\Windows\System32\svchost.exe[1692] USER32.dll!UnhookWinEvent 7605D924 5 Bytes JMP 001003FC .text C:\Windows\System32\svchost.exe[1692] USER32.dll!SetWindowsHookExW 7606210A 5 Bytes JMP 00100804 .text C:\Windows\System32\svchost.exe[1692] USER32.dll!SetWinEventHook 7606507E 5 Bytes JMP 001001F8 .text C:\Windows\System32\svchost.exe[1692] USER32.dll!SetWindowsHookExA 76086DFA 5 Bytes JMP 00100600 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1752] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Program Files\Bonjour\mDNSResponder.exe[1792] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\system32\ctfmon.exe[1892] ntdll.dll!LdrUnloadDll 77B5BD1F 5 Bytes JMP 000E03FC .text C:\Windows\system32\ctfmon.exe[1892] ntdll.dll!LdrLoadDll 77B5F425 5 Bytes JMP 000E01F8 .text C:\Windows\system32\ctfmon.exe[1892] KERNEL32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\system32\ctfmon.exe[1892] USER32.dll!UnhookWindowsHookEx 7605CC7B 5 Bytes JMP 000F0A08 .text C:\Windows\system32\ctfmon.exe[1892] USER32.dll!UnhookWinEvent 7605D924 5 Bytes JMP 000F03FC .text C:\Windows\system32\ctfmon.exe[1892] USER32.dll!SetWindowsHookExW 7606210A 5 Bytes JMP 000F0804 .text C:\Windows\system32\ctfmon.exe[1892] USER32.dll!SetWinEventHook 7606507E 5 Bytes JMP 000F01F8 .text C:\Windows\system32\ctfmon.exe[1892] USER32.dll!SetWindowsHookExA 76086DFA 5 Bytes JMP 000F0600 .text C:\Windows\system32\svchost.exe[1940] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\System32\svchost.exe[1976] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2024] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\system32\taskhost.exe[2100] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\System32\WUDFHost.exe[2184] ntdll.dll!LdrUnloadDll 77B5BD1F 5 Bytes JMP 000E03FC .text C:\Windows\System32\WUDFHost.exe[2184] ntdll.dll!LdrLoadDll 77B5F425 5 Bytes JMP 000E01F8 .text C:\Windows\System32\WUDFHost.exe[2184] KERNEL32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\System32\WUDFHost.exe[2184] USER32.dll!UnhookWindowsHookEx 7605CC7B 5 Bytes JMP 00100A08 .text C:\Windows\System32\WUDFHost.exe[2184] USER32.dll!UnhookWinEvent 7605D924 5 Bytes JMP 001003FC .text C:\Windows\System32\WUDFHost.exe[2184] USER32.dll!SetWindowsHookExW 7606210A 5 Bytes JMP 00100804 .text C:\Windows\System32\WUDFHost.exe[2184] USER32.dll!SetWinEventHook 7606507E 5 Bytes JMP 001001F8 .text C:\Windows\System32\WUDFHost.exe[2184] USER32.dll!SetWindowsHookExA 76086DFA 5 Bytes JMP 00100600 .text C:\Windows\system32\Dwm.exe[2200] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\system32\svchost.exe[2596] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\system32\wuauclt.exe[2784] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\system32\AUDIODG.EXE[2936] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Program Files\iTunes\iTunesHelper.exe[3144] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text ... .text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] ntdll.dll!LdrUnloadDll 77B5BD1F 5 Bytes JMP 000F03FC .text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] ntdll.dll!LdrLoadDll 77B5F425 5 Bytes JMP 000F01F8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] KERNEL32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] USER32.dll!UnhookWindowsHookEx 7605CC7B 5 Bytes JMP 00110A08 .text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] USER32.dll!UnhookWinEvent 7605D924 5 Bytes JMP 001103FC .text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] USER32.dll!SetWindowsHookExW 7606210A 5 Bytes JMP 00110804 .text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] USER32.dll!SetWinEventHook 7606507E 5 Bytes JMP 001101F8 .text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] USER32.dll!SetWindowsHookExA 76086DFA 5 Bytes JMP 00110600 .text C:\Windows\Explorer.exe[3864] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] .text C:\Windows\system32\svchost.exe[4088] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- EOF - GMER 2.1 ---- |