GMER 1.0.15.15163 - http://www.gmer.net Rootkit scan 2009-10-22 20:12:17 Windows 5.1.2600 Service Pack 3 Running: juvsz3ki.exe; Driver: C:\DOCUME~1\Yury\LOCALS~1\Temp\fwtdrpog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF1DFE6B8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF1DFE574] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF1DFEA52] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF1DFE14C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF1DFE64E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF1DFE08C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF1DFE0F0] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF1DFE76E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF1DFE72E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF1DFE8AE] ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 150 804E27AC 4 Bytes JMP EFB9F1DF .text ntoskrnl.exe!_abnormal_termination + 428 804E2A84 4 Bytes CALL F83A1C68 ? C:\DOCUME~1\Yury\LOCALS~1\Temp\mc21.tmp The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[148] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[148] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[148] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[148] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\Documents and Settings\Yury\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[344] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Documents and Settings\Yury\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[344] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\Documents and Settings\Yury\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[344] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\Documents and Settings\Yury\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[344] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D .text C:\Documents and Settings\Yury\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe[344] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 035C3EB5 E:\PROGRA~1\THECLE~1\TCSHEL~1.DLL (The Cleaner v6 Shell Extension/MooSoft Development Inc.) .text C:\WINDOWS\Explorer.EXE[472] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[612] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[612] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[612] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[612] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text E:\Program Files\Process Lasso\processlasso.exe[656] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text E:\Program Files\Process Lasso\processlasso.exe[656] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text E:\Program Files\Process Lasso\processlasso.exe[656] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text E:\Program Files\Process Lasso\processlasso.exe[656] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[680] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[680] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[680] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\Program Files\Bonjour\mDNSResponder.exe[680] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\csrss.exe[692] KERNEL32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\csrss.exe[692] KERNEL32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\csrss.exe[692] KERNEL32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\csrss.exe[692] KERNEL32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\winlogon.exe[716] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\services.exe[760] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\services.exe[760] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\services.exe[760] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\lsass.exe[772] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F120F5A .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\Program Files\iolo\common\lib\ioloServiceManager.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Program Files\iolo\common\lib\ioloServiceManager.exe[1232] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\Program Files\iolo\common\lib\ioloServiceManager.exe[1232] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\Program Files\iolo\common\lib\ioloServiceManager.exe[1232] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text E:\Program Files\Process Lasso\processgovernor.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text E:\Program Files\Process Lasso\processgovernor.exe[1284] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text E:\Program Files\Process Lasso\processgovernor.exe[1284] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text E:\Program Files\Process Lasso\processgovernor.exe[1284] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1352] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1352] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1352] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1352] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\pctspk.exe[1424] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\pctspk.exe[1424] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\pctspk.exe[1424] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\pctspk.exe[1424] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1480] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1480] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1480] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1480] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\Documents and Settings\Yury\Desktop\juvsz3ki.exe[1676] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Documents and Settings\Yury\Desktop\juvsz3ki.exe[1676] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\Documents and Settings\Yury\Desktop\juvsz3ki.exe[1676] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\Documents and Settings\Yury\Desktop\juvsz3ki.exe[1676] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D .text C:\Documents and Settings\Yury\Desktop\juvsz3ki.exe[1676] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\spoolsv.exe[1916] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\spoolsv.exe[1916] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\spoolsv.exe[1916] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\spoolsv.exe[1916] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\System32\wbem\unsecapp.exe[2124] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\wbem\unsecapp.exe[2124] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\wbem\unsecapp.exe[2124] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\System32\wbem\unsecapp.exe[2124] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text E:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe[2156] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text E:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe[2156] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text E:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe[2156] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text E:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe[2156] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D .text E:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe[2156] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2200] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2200] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2200] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2200] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text E:\Program Files\NoAdware\NoAdware5.exe[2272] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text E:\Program Files\NoAdware\NoAdware5.exe[2272] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text E:\Program Files\NoAdware\NoAdware5.exe[2272] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text E:\Program Files\NoAdware\NoAdware5.exe[2272] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\System32\svchost.exe[2396] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\svchost.exe[2396] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\svchost.exe[2396] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\System32\svchost.exe[2396] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D .text C:\WINDOWS\System32\svchost.exe[2396] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\System32\alg.exe[2608] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\alg.exe[2608] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\alg.exe[2608] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\WINDOWS\System32\alg.exe[2608] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[3560] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[3560] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[3560] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[3560] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D .text C:\Program Files\Microsoft Office\Office10\WINWORD.EXE[3560] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A .text E:\Program Files\Mozilla Firefox\firefox.exe[3972] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text E:\Program Files\Mozilla Firefox\firefox.exe[3972] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0A0F5A .text E:\Program Files\Mozilla Firefox\firefox.exe[3972] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F040F5A .text E:\Program Files\Mozilla Firefox\firefox.exe[3972] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 5F00003D .text E:\Program Files\Mozilla Firefox\firefox.exe[3972] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F0D0F5A ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002 IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000 ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) ---- Registry - GMER 1.0.15 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F238CF1D-55BC-7523-7560-9CDB79BF4BC3} ---- EOF - GMER 1.0.15 ----