spongebob Opublikowano 18 Lutego 2013 Zgłoś Udostępnij Opublikowano 18 Lutego 2013 Miałem problemy z różnymi wirusami z usb i facebooka wiec sformatowałem dysk i zainstalowałem na nowo win8 nastepnie spybot 2 , skan rootkit wykrył mi coś takiego : :: RootAlyzer Results RegyValue:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\","8" RegyValue:"No admin in ACL","HKEY_LOCAL_MACHINE","\SYSTEM\ControlSet001\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\","8" Nie moge w zaden sposób tego usunąć spybootem2 czy są to groźne rootkity czy fałszywy alarm ? Odnośnik do komentarza
picasso Opublikowano 18 Lutego 2013 Zgłoś Udostępnij Opublikowano 18 Lutego 2013 Nie usuwaj tego Spybotem. Nawiasem mówiąc on wcale nie wykrywa tego jako "rootkit", on tylko mówi No admin in ACL = brak Administratorów na liście kontroli dostępu ACL. Wszystko poprawne, są klucze w rejestrze do których Administratorzy nie mają dostępu. Ten konkretny klucz na domyślnej instalacji Windows 8 nie uwzględnia Administratorów. Swoją drogą to skaner Spybot w mojej opinii niezbyt użyteczny, nawet po w bólach urodzonej najnowszej wersji "2". Spybot już od dawna ledwo zipie. . Odnośnik do komentarza
spongebob Opublikowano 18 Lutego 2013 Autor Zgłoś Udostępnij Opublikowano 18 Lutego 2013 OK , dzieki juz skasowałem tego spybota2 , gmer jednak coś znalazł w logu zapisał to : ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [612:732] fffff9600082e5e8 ---- EOF - GMER 2.1 ---- mam świeży system nie instalowałem żadnych podejzanych gier ani programów to mogło to zostać po formacie dysku ? Jako proces mam tez jakaś chinska litere pid 4 wątki 120 Odnośnik do komentarza
picasso Opublikowano 18 Lutego 2013 Zgłoś Udostępnij Opublikowano 18 Lutego 2013 Ten wątek w GMER nie jest rootkitem. A "chińskiej litery" tu nigdzie nie widać, więc wklej cały raport a nie tak cykasz po kawałku. . Odnośnik do komentarza
spongebob Opublikowano 18 Lutego 2013 Autor Zgłoś Udostępnij Opublikowano 18 Lutego 2013 Ta chińska litera dotyczy chyba pliku ntoskrnl.exe Gmer nie skonczyl do końca skanować ale i tak duzo znalazł czy są to normalne pliki czy jakieś ślady rootkitów ? ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\ntoskrnl.exe!FsRtlIncrementCcFastMdlReadWait + 628 fffff8031140fd08 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExInterlockedAddUlong + 777 fffff8031141bcb9 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExTimedWaitForUnblockPushLock + 167 fffff8031141fbdb 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExTimedWaitForUnblockPushLock + 225 fffff8031141fc15 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoUninitializeWorkItem + 44 fffff803114208cc 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExBlockPushLock + 8 fffff8031142112c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeSetAffinityThread + 105 fffff80311429bc5 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeTryToAcquireQueuedSpinLock + 59 fffff8031142cda3 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcScheduleReadAheadEx + 966 fffff803114314da 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeQueryPrcbAddress + 766 fffff803114347da 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExSetResourceOwnerPointerEx + 276 fffff80311438694 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExSetResourceOwnerPointer + 675 fffff8031143942f 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExfReleasePushLock + 1 fffff803114394ad 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlInsertPerStreamContext + 146 fffff8031143e486 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlInsertPerStreamContext + 468 fffff8031143e5c8 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlInitializeBaseMcb + 157 fffff80311447e9d 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlLookupPerStreamContextInternal + 158 fffff803114496ae 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlInitString + 625 fffff80311449a61 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcCopyReadEx + 484 fffff8031144ddd4 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExConvertExclusiveToSharedLite + 135 fffff8031144ffc7 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExConvertExclusiveToSharedLite + 271 fffff8031145004f 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcPurgeCacheSection + 170 fffff8031145051a 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcPurgeCacheSection + 464 fffff80311450640 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ObReferenceObjectSafeWithTag + 9 fffff80311451409 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeAlertThread + 744 fffff80311454178 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeInitializeQueue + 813 fffff80311454c91 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PsGetProcessSignatureLevel + 323 fffff80311456333 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PsGetProcessSignatureLevel + 633 fffff80311456469 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!KeQueryHighestNodeNumber + 318 fffff803114569fe 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlFreeHeap + 67 fffff80311458833 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlInsertPerFileObjectContext + 206 fffff8031145e78a 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlRemovePerFileObjectContext + 201 fffff8031145e959 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!NtQuerySystemTime + 217 fffff80311462cc9 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!NtQuerySystemTime + 912 fffff80311462f80 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoGetAttachedDeviceReference + 170 fffff8031146387a 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExfTryAcquirePushLockShared + 6 fffff80311464716 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExfReleasePushLockShared + 1 fffff80311464e31 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlGetNextEntryHashTable + 227 fffff80311466667 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlGetNextEntryHashTable + 862 fffff803114668e2 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcSetLogHandleForFileEx + 293 fffff80311467959 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!NtSetInformationWorkerFactory + 581 fffff80311469375 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeInitializeDpc + 107 fffff8031146b0c7 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcGetDirtyPages + 196 fffff8031146c9b4 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcGetDirtyPages + 726 fffff8031146cbc6 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAcquireSpinLockShared + 34 fffff8031146d00a 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeSetTimerEx + 149 fffff8031146fea1 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExfAcquirePushLockShared + 24 fffff80311471398 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExfAcquirePushLockShared + 195 fffff80311471443 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!ExpInterlockedPopEntrySList + 7 fffff80311476a17 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExpInterlockedPushEntrySList + 3 fffff80311476aa3 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExpInterlockedFlushSList + 3 fffff80311476b33 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExpInterlockedFlushSList + 99 fffff80311476b93 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeInsertQueueDpc + 399 fffff803114a326f 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeInsertQueueDpc + 685 fffff803114a338d 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!memset + 545 fffff803114a3841 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!memset + 785 fffff803114a3931 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!KeReleaseInStackQueuedSpinLock + 31 fffff803114a961f 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeAcquireQueuedSpinLock + 517 fffff803114adb35 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeAcquireQueuedSpinLock + 978 fffff803114add02 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoGetRelatedDeviceObject + 994 fffff803114b2222 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExEnterPriorityRegionAndAcquireResourceExclusive + 260 fffff803114b26b4 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAllocatePoolWithQuotaTag + 262 fffff803114b6956 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAllocatePoolWithQuotaTag + 317 fffff803114b698d 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!ExAcquireRundownProtectionCacheAware + 29 fffff803114b8411 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExReleaseRundownProtectionCacheAware + 32 fffff803114b8450 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExReleaseRundownProtectionCacheAware + 964 fffff803114b87f4 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!KeUnstackDetachProcess + 535 fffff803114b91b7 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAcquireResourceSharedLite + 189 fffff803114b95dd 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAcquireResourceSharedLite + 512 fffff803114b9720 1 byte [1F] .text ... * 3 .text C:\Windows\system32\ntoskrnl.exe!ExIsResourceAcquiredSharedLite + 249 fffff803114b9b99 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAcquireResourceExclusiveLite + 241 fffff803114b9db1 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel + 31 fffff803114bb18f 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExReleaseResourceAndLeaveCriticalRegion + 163 fffff803114bb4f3 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!NtWaitForWorkViaWorkerFactory + 524 fffff803114bb7fc 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAcquireRundownProtectionCacheAwareEx + 37 fffff803114be255 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExReleaseRundownProtectionCacheAwareEx + 39 fffff803114be2b7 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeLeaveGuardedRegion + 388 fffff803114be574 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoGetRequestorProcess + 84 fffff803114bf314 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoGetRequestorProcess + 174 fffff803114bf36e 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!ObReferenceObjectSafe + 9 fffff803114c4919 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlSetBits + 800 fffff803114c7ae0 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlLookupPerFileObjectContext + 171 fffff803114c845b 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlLookupPerFileObjectContext + 687 fffff803114c865f 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!IoSetMasterIrpStatus + 222 fffff803114cae3e 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAcquireSharedStarveExclusive + 189 fffff803114cc92d 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAcquireSharedStarveExclusive + 382 fffff803114cc9ee 1 byte [1F] .text ... * 3 .text C:\Windows\system32\ntoskrnl.exe!CcUninitializeCacheMap + 484 fffff803114d3764 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcUninitializeCacheMap + 649 fffff803114d3809 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!CcSetFileSizesEx + 255 fffff803114d621f 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcSetFileSizesEx + 388 fffff803114d62a4 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcSetDirtyPinnedData + 649 fffff803114d68c9 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlNumberGenericTableElementsAvl + 212 fffff803114d8a8c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExAcquireRundownProtection + 1 fffff803114da421 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExReleaseRundownProtection + 1 fffff803114da451 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlGetNextBaseMcbEntry + 900 fffff803114da824 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcInitializeCacheMap + 462 fffff803114db6fe 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcInitializeCacheMap + 980 fffff803114db904 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcSetParallelFlushFile + 132 fffff803114dce64 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoReleaseCancelSpinLock + 48 fffff803114dcf70 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoIsActivityTracingEnabled + 140 fffff803114dd08c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!SeAccessCheck + 371 fffff803114ddd13 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!SeAccessCheck + 745 fffff803114dde89 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PsGetProcessWin32Process + 28 fffff803114dfd34 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlIsTotalDeviceFailure + 843 fffff803114e800f 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeReleaseQueuedSpinLock + 51 fffff803114e8dbf 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeReleaseQueuedSpinLock + 524 fffff803114e8f98 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeQueryActiveProcessorCountEx + 445 fffff803114e9f9d 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExfAcquirePushLockExclusive + 24 fffff803114f2778 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExfAcquirePushLockExclusive + 210 fffff803114f2832 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!CcGetFlushedValidData + 473 fffff80311501729 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!CcIsThereDirtyLoggedPages + 201 fffff80311502269 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoInvalidateDeviceRelations + 433 fffff8031150855d 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlGetThreadLangIdByIndex + 628 fffff8031151548c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoReportInterruptInactive + 285 fffff803115162dd 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeInsertDeviceQueue + 130 fffff80311519efe 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoFreeController + 237 fffff8031151a05d 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!strrchr + 558 fffff8031151aade 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!IoBoostThreadIo + 259 fffff8031151d463 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlNormalizeNtstatus + 857 fffff8031151d8f1 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlNormalizeNtstatus + 978 fffff8031151d96a 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PoFxCompleteIdleCondition + 291 fffff8031152c2b7 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PoFxCompleteIdleCondition + 865 fffff8031152c4f5 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!KeInvalidateAllCaches + 45 fffff8031152e3dd 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!_itow_s + 393 fffff80311533cf5 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!_itow_s + 476 fffff80311533d48 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!KeRemoveDeviceQueue + 154 fffff8031153442a 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PfFileInfoNotify + 399 fffff80311535d1f 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PfFileInfoNotify + 606 fffff80311535dee 1 byte [1F] .text ... * 3 .text C:\Windows\system32\ntoskrnl.exe!IoCsqInitialize + 284 fffff803115367b8 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!rand + 175 fffff803115368ef 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlCreateSectionForDataScan + 559 fffff80311536e97 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!FsRtlCreateSectionForDataScan + 597 fffff80311536ebd 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!ExAcquireRundownProtectionEx + 4 fffff8031153788c 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExReleaseRundownProtectionEx + 4 fffff803115378c4 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PoNotifyVSyncChange + 80 fffff803115391f4 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PoNotifyVSyncChange + 180 fffff80311539258 1 byte [1F] .text ... * 2 .text C:\Windows\system32\ntoskrnl.exe!ExReInitializeRundownProtection + 815 fffff80311540e3b 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!PoFxSetDeviceIdleTimeout + 186 fffff80311546e3e 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!ExIsProcessorFeaturePresent + 293 fffff8031154aa09 1 byte [1F] .text C:\Windows\system32\ntoskrnl.exe!RtlSetAllBits + 466 fffff8031154e40e 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSetTimerResolution + 126 fffff80311782cfa 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtCreateKeyTransacted + 50 fffff8031178d6de 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtCreateKeyTransacted + 221 fffff8031178d789 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtOpenKeyTransactedEx + 52 fffff8031178d854 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtOpenKeyTransactedEx + 194 fffff8031178d8e2 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtUnloadKey2 + 130 fffff8031178fdf2 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtUnloadKey2 + 425 fffff8031178ff19 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!RtlDuplicateUnicodeString + 630 fffff803117957aa 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtCreateWnfStateName + 508 fffff80311795ac8 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtCreateWnfStateName + 547 fffff80311795aef 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlOemToUnicodeN + 952 fffff80311797568 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PcwCloseInstance + 856 fffff803117992e0 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsCreateSystemThreadEx + 510 fffff80311799a8e 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtFlushKey + 114 fffff80311799c72 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtFlushKey + 373 fffff80311799d75 1 byte [1F] PAGE ... * 3 PAGE C:\Windows\system32\ntoskrnl.exe!PsReferenceKernelStack + 161 fffff8031179d891 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PcwAddInstance + 718 fffff803117a8bf6 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PcwAddInstance + 935 fffff803117a8ccf 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtDeleteWnfStateName + 451 fffff803117a934b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtUnsubscribeWnfStateChange + 358 fffff803117aa77a 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSuspendThread + 247 fffff803117b48eb 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSuspendThread + 353 fffff803117b4955 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtCreatePrivateNamespace + 482 fffff803117b58ce 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtCreatePrivateNamespace + 924 fffff803117b5a88 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtDeleteValueKey + 198 fffff803117bdc22 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtDeleteValueKey + 875 fffff803117bdec7 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtUpdateWnfStateData + 677 fffff803117be915 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtUpdateWnfStateData + 716 fffff803117be93c 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlNotifyCleanup + 492 fffff803117beccc 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlNotifyCleanup + 886 fffff803117bee56 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtDeleteKey + 121 fffff803117c02f5 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtDeleteKey + 469 fffff803117c0451 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!NtGetCurrentProcessorNumber + 533 fffff803117c2e25 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtGetCurrentProcessorNumber + 657 fffff803117c2ea1 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlDeleteKeyFromTunnelCache + 841 fffff803117c3919 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObMakeTemporaryObject + 56 fffff803117cacc0 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSetInformationObject + 305 fffff803117cd681 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlUpperChar + 198 fffff803117cf9de 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsDereferenceImpersonationToken + 200 fffff803117d096c 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!IoSetShareAccess + 344 fffff803117d0d88 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQueryMultipleValueKey + 205 fffff803117d2679 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQueryMultipleValueKey + 786 fffff803117d28be 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQueryObject + 862 fffff803117d34de 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtNotifyChangeMultipleKeys + 112 fffff803117d40f8 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ExEnumHandleTable + 81 fffff803117d4f01 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObFindHandleForObject + 115 fffff803117d5043 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsResumeProcess + 45 fffff803117d5b2d 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsResumeProcess + 104 fffff803117d5b68 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtEnumerateKey + 197 fffff803117d9735 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSetValueKey + 210 fffff803117dd5c2 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtIsUILanguageComitted + 133 fffff803117e2d61 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtIsUILanguageComitted + 277 fffff803117e2df1 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsChargeProcessWakeCounter + 754 fffff803117e4fc2 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsChargeProcessWakeCounter + 975 fffff803117e509f 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQueryValueKey + 238 fffff803117f6d4e 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQueryKey + 172 fffff803117fafcc 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcAcceptConnectPort + 240 fffff803117fd814 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtOpenKeyEx + 344 fffff803117fde80 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtOpenKeyEx + 390 fffff803117fdeae 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtOpenEvent + 407 fffff8031180126b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObReferenceObjectByName + 295 fffff80311802997 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObSetSecurityDescriptorInfo + 254 fffff80311802c2e 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObSetSecurityDescriptorInfo + 334 fffff80311802c7e 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtAlpcConnectPort + 978 fffff803118036e2 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObDuplicateObject + 134 fffff80311809826 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObDuplicateObject + 284 fffff803118098bc 1 byte [1F] PAGE ... * 3 PAGE C:\Windows\system32\ntoskrnl.exe!NtDuplicateObject + 868 fffff8031180a174 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObSetHandleAttributes + 149 fffff8031180ac55 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlQueryInformationAcl + 465 fffff8031180c7e1 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeSecurityAttributePresent + 363 fffff8031180d553 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeSecurityAttributePresent + 409 fffff8031180d581 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsLookupThreadByThreadId + 283 fffff8031180d78b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsLookupThreadByThreadId + 760 fffff8031180d968 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSetInformationKey + 151 fffff8031180e257 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSetInformationKey + 685 fffff8031180e46d 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtEnumerateValueKey + 187 fffff8031180f7bb 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtEnumerateValueKey + 873 fffff8031180fa69 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtSubscribeWnfStateChange + 412 fffff8031181086c 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQueryWnfStateData + 732 fffff80311810f44 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQueryWnfStateData + 771 fffff80311810f6b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQuerySymbolicLinkObject + 415 fffff80311811beb 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlQueryAtomInAtomTable + 250 fffff80311811e4a 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtOpenPrivateNamespace + 264 fffff80311812e00 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtOpenPrivateNamespace + 457 fffff80311812ec1 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtCreateIoCompletion + 966 fffff803118151c6 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsReferenceProcessFilePointer + 29 fffff8031181bfe1 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsReferenceProcessFilePointer + 81 fffff8031181c015 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQueryDefaultLocale + 232 fffff8031181d09c 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlLookupAtomInAtomTable + 298 fffff80311822aba 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtTerminateProcess + 313 fffff80311825a01 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtTerminateProcess + 541 fffff80311825ae5 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlDeleteAtomFromAtomTable + 195 fffff80311826c13 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlDeleteAtomFromAtomTable + 982 fffff80311826f26 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlSyncVolumes + 967 fffff80311828da3 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlTeardownPerStreamContexts + 146 fffff80311829b62 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlTeardownPerStreamContexts + 480 fffff80311829cb0 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlCancellableWaitForMultipleObjects + 533 fffff8031182a5d5 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlAllocateExtraCreateParameterFromLookasideList + 324 fffff8031182c30c 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObCloseHandle + 631 fffff8031183d19f 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeCaptureSubjectContextEx + 497 fffff8031183f811 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeCaptureSubjectContextEx + 969 fffff8031183f9e9 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeCreateClientSecurity + 459 fffff8031183fe4b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeCreateClientSecurity + 762 fffff8031183ff7a 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!NtOpenKey + 687 fffff8031184121b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObReferenceObjectByHandleWithTag + 185 fffff80311847399 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObReferenceObjectByHandleWithTag + 623 fffff8031184754f 1 byte [1F] PAGE ... * 2 PAGE C:\Windows\system32\ntoskrnl.exe!ObWaitForMultipleObjects + 246 fffff80311847cc6 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObWaitForMultipleObjects + 995 fffff80311847fb3 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObCreateObject + 981 fffff8031184b475 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtWriteFile + 164 fffff80311867ea4 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!IoRemoveShareAccess + 211 fffff8031186cc03 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsReleaseProcessExitSynchronization + 8 fffff80311870a1c 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!PsAcquireProcessExitSynchronization + 12 fffff80311870a44 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!SeLocateProcessImageName + 506 fffff8031187101a 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQueryDirectoryObject + 927 fffff80311871c1f 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObLogSecurityDescriptor + 487 fffff80311876ce7 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlUnicodeStringToAnsiString + 715 fffff8031187ab2b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlUnicodeStringToAnsiString + 957 fffff8031187ac1d 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtUnloadKeyEx + 131 fffff80311889a93 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtUnloadKeyEx + 524 fffff80311889c1c 1 byte [1F] PAGE ... * 3 PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlCurrentOplockH + 487 fffff803118a204b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtLoadKeyEx + 158 fffff803118a8f8e 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!EtwWriteEndScenario + 989 fffff803118b93cd 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQueryWnfStateNameInformation + 651 fffff803118c2f1b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtQueryWnfStateNameInformation + 690 fffff803118c2f42 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ExSizeOfRundownProtectionCacheAware + 142 fffff803118d5f76 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ExSizeOfRundownProtectionCacheAware + 797 fffff803118d6205 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!FsRtlOplockFsctrl + 267 fffff803118da87f 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!ObRegisterCallbacks + 623 fffff803118edd1f 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtLockRegistryKey + 60 fffff803118f561c 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtLockRegistryKey + 175 fffff803118f568f 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlGenerateClass5Guid + 610 fffff80311905212 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlGenerateClass5Guid + 746 fffff8031190529a 1 byte [1F] PAGE ... * 3 PAGE C:\Windows\system32\ntoskrnl.exe!NtListenPort + 830 fffff80311905e96 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtDeleteWnfStateData + 437 fffff8031190a825 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!NtDeleteWnfStateData + 472 fffff8031190a848 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!CmRegisterCallback + 440 fffff8031190d778 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlRunOnceBeginInitialize + 51 fffff8031191206b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!RtlRunOnceComplete + 95 fffff8031191214b 1 byte [1F] PAGE C:\Windows\system32\ntoskrnl.exe!IoRegisterDeviceInterface + 727 fffff8031191604b 1 byte [1F] .text C:\Windows\system32\hal.dll!HalQueryMaximumProcessorCount + 167 fffff80311b5e9a7 1 byte [1F] PAGEKRPC C:\Windows\System32\drivers\msrpc.sys!RpcAsyncInitializeHandle + 880 fffff88000daf020 1 byte [1F] PAGEKRPC C:\Windows\System32\drivers\msrpc.sys!RpcBindingCopy + 314 fffff88000db238a 1 byte [1F] PAGEKRPC C:\Windows\System32\drivers\msrpc.sys!RpcBindingFree + 218 fffff88000db93ca 1 byte [1F] PAGEKRPC C:\Windows\System32\drivers\msrpc.sys!RpcBindingBind + 330 fffff88000db97ca 1 byte [1F] PAGEKRPC C:\Windows\System32\drivers\msrpc.sys!RpcBindingBind + 675 fffff88000db9923 1 byte [1F] PAGEKRPC ... * 3 PAGEKRPC C:\Windows\System32\drivers\msrpc.sys!RpcBindingCreateW + 744 fffff88000dbb5c8 1 byte [1F] PAGEKRPC C:\Windows\System32\drivers\msrpc.sys!RpcBindingSetOption + 809 fffff88000dbcd89 1 byte [1F] PAGEKRPC C:\Windows\System32\drivers\msrpc.sys!I_RpcCompleteAndFree + 178 fffff88000dc3cd2 1 byte [1F] PAGEKRPC C:\Windows\System32\drivers\msrpc.sys!RpcBindingUnbind + 279 fffff88000dc5e27 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltGetInstanceContext + 149 fffff88000aa90c5 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltReleasePushLock + 5 fffff88000aa9125 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltDeleteInstanceContext + 85 fffff88000aac9c5 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltDeleteInstanceContext + 229 fffff88000aaca55 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltReuseCallbackData + 623 fffff88000aaf7bf 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltSetInstanceContext + 461 fffff88000ab051d 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltSetVolumeContext + 550 fffff88000ab366e 1 byte [1F] .text C:\Windows\system32\drivers\fltmgr.sys!FltGetVolumeContext + 182 fffff88000ab3806 1 byte [1F] PAGE C:\Windows\system32\drivers\fltmgr.sys!FltParseFileNameInformation + 442 fffff88000adcc5a 1 byte [1F] .text C:\Windows\system32\drivers\NETIO.SYS!KfdAleAcquireFlowHandleForFlow + 248 fffff88001984bc8 1 byte [1F] .text C:\Windows\system32\drivers\NETIO.SYS!WfpNblInfoAlloc + 483 fffff880019886d3 1 byte [1F] .text C:\Windows\System32\win32k.sys!EngBitBlt + 226 fffff96000165782 1 byte [1F] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000208300 7 bytes [C0, 85, 1B, 01, 00, F2, 9B] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000208308 5 bytes [01, A8, E4, FF, 00] .text ... * 109 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 680 fffff9600020d794 1 byte [1F] .text C:\Windows\System32\win32k.sys!EngAlphaBlend + 244 fffff96000222724 1 byte [1F] .text C:\Windows\system32\DRIVERS\mrxsmb.sys!SmbCeInitiateExchange + 115 fffff88004b8c9c3 1 byte [1F] ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 000007fb53d61ec6 1 byte [1F] .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 34 000007fb53d61f52 1 byte [1F] .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 000007fb53d62022 1 byte [1F] .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 80 000007fb53d65550 1 byte [1F] .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 183 000007fb53d655b7 1 byte [1F] .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 455 000007fb53d6c407 1 byte [1F] .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 237 000007fb53d6d275 1 byte [1F] .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 346 000007fb53d6d2e2 1 byte [1F] .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!TpPostWork + 109 000007fb53d6d9bd 1 byte [1F] .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 000007fb53d6f021 1 byte [1F] .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 92 000007fb53d7abbc 1 byte [1F] .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlUpcaseUnicodeString + 696 000007fb53d7af38 1 byte [1F] .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlUpcaseUnicodeString + 867 000007fb53d7afe3 1 byte [1F] .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceBeginInitialize + 51 000007fb53d81e63 1 byte [1F] .text C:\Windows\System32\smss.exe[308] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWork + 76 000007fb53db6aac 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 000007fb53d61ec6 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 34 000007fb53d61f52 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 000007fb53d62022 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 80 000007fb53d65550 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 183 000007fb53d655b7 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 000007fb53d6a674 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackMayRunLong + 289 000007fb53d6b781 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 237 000007fb53d6d275 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 346 000007fb53d6d2e2 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx + 287 000007fb53d6fcbf 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!LdrGetProcedureAddressForCaller + 352 000007fb53d77900 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 92 000007fb53d7abbc 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!LdrDisableThreadCalloutsForDll + 843 000007fb53d7effb 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings_U + 985 000007fb53d7f86d 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI + 635 000007fb53d7fb2b 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI + 943 000007fb53d7fc5f 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!RtlTryConvertSRWLockSharedToExclusiveOrRelease + 158 000007fb53d8030e 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceBeginInitialize + 51 000007fb53d81e63 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!RtlLCIDToCultureName + 277 000007fb53d87215 1 byte [1F] .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!RtlDestroyEnvironment + 129 000007fb53d969cd 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 000007fb53d61ec6 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 34 000007fb53d61f52 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 162 000007fb53d61fd2 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 000007fb53d62022 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 000007fb53d630b0 5 bytes [FF, 25, 1E, 16, 00] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateProcess 000007fb53d63691 5 bytes [FF, 25, 35, 10, 00] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 000007fb53d63751 5 bytes [FF, 25, A1, 11, 00] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtWaitLowEventPair + 11 000007fb53d646cc 16 bytes [D0, E2, B7, 50, FB, 07, 00, ...] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlZeroMemory + 8 000007fb53d648f8 8 bytes [b0, E3, B7, 50, FB, 07, 00, ...] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 80 000007fb53d65550 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 183 000007fb53d655b7 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlValidSid + 128 000007fb53d67820 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 000007fb53d6a674 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 111 000007fb53d6ad3f 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 399 000007fb53d6ae5f 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!wcschr + 158 000007fb53d6b5ea 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackMayRunLong + 289 000007fb53d6b781 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 87 000007fb53d6c297 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackIndependent + 455 000007fb53d6c407 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseTimer + 36 000007fb53d6ce7c 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 237 000007fb53d6d275 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 346 000007fb53d6d2e2 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlSizeHeap + 49 000007fb53d6f021 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx + 287 000007fb53d6fcbf 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupAtomInAtomTable + 490 000007fb53d72f56 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrGetProcedureAddressForCaller + 352 000007fb53d77900 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!TpStartAsyncIoOperation + 108 000007fb53d7a64c 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 92 000007fb53d7abbc 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrDisableThreadCalloutsForDll + 843 000007fb53d7effb 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings_U + 985 000007fb53d7f86d 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI + 635 000007fb53d7fb2b 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI + 943 000007fb53d7fc5f 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlTryConvertSRWLockSharedToExclusiveOrRelease + 158 000007fb53d8030e 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceBeginInitialize + 51 000007fb53d81e63 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlLCIDToCultureName + 277 000007fb53d87215 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlDestroyEnvironment + 129 000007fb53d969cd 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!TpReleaseWait + 46 000007fb53db62ae 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlDeregisterWaitEx + 173 000007fb53db6519 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlDeregisterWaitEx + 364 000007fb53db65d8 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\SYSTEM32\ntdll.dll!RtlAddVectoredExceptionHandler + 264 000007fb53ddf0b8 1 byte [1F] .text C:\Windows\system32\wininit.exe[580] C:\Windows\system32\USER32.dll!GetWindow + 712 000007fb513b8188 14 bytes [A0, E0, B7, 50, FB, 07, 00, ...] .text C:\Windows\system32\wininit.exe[580] C:\Windows\system32\USER32.dll!GetKeyboardState + 24 000007fb513bdd58 14 bytes [30, E0, B7, 50, FB, 07, 00, ...] .text C:\Windows\system32\wininit.exe[580] C:\Windows\system32\USER32.dll!GetWindowMinimizeRect + 520 000007fb513c45c8 14 bytes [F0, E1, B7, 50, FB, 07, 00, ...] .text C:\Windows\system32\wininit.exe[580] C:\Windows\system32\USER32.dll!LoadImageA + 88 000007fb513cf548 14 bytes [80, E1, B7, 50, FB, 07, 00, ...] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListResume16 + 2 000007fb53d61ec6 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!ExpInterlockedPopEntrySListEnd + 34 000007fb53d61f52 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!RtlInterlockedPushListSList + 2 000007fb53d62022 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 80 000007fb53d65550 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!RtlFreeHeap + 183 000007fb53d655b7 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceExecuteOnce + 36 000007fb53d6a674 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 111 000007fb53d6ad3f 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!RtlReAllocateHeap + 399 000007fb53d6ae5f 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!TpCallbackMayRunLong + 289 000007fb53d6b781 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 237 000007fb53d6d275 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!RtlpNtOpenKey + 346 000007fb53d6d2e2 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!RtlImageNtHeaderEx + 287 000007fb53d6fcbf 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!RtlLookupAtomInAtomTable + 490 000007fb53d72f56 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!LdrGetProcedureAddressForCaller + 352 000007fb53d77900 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!RtlRunOnceComplete + 92 000007fb53d7abbc 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!LdrDisableThreadCalloutsForDll + 843 000007fb53d7effb 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!RtlExpandEnvironmentStrings_U + 985 000007fb53d7f86d 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI + 635 000007fb53d7fb2b 1 byte [1F] .text C:\Windows\system32\csrss.exe[612] C:\Windows\SYSTEM32\ntdll.dll!LdrResolveDelayLoadedAPI + 943 000007fb53d7fc5f 1 byte [1F] Odnośnik do komentarza
picasso Opublikowano 19 Lutego 2013 Zgłoś Udostępnij Opublikowano 19 Lutego 2013 (edytowane) Log urwany. Mówiłam Ci na PW, zapisz cały raport GMER do pliku TXT i wstaw jako załącznik. Zedytuj powyższy post. Edytowane 28 Kwietnia 2013 przez Landuss 28.04.2013 - Temat zostaje zamknięty z powodu braku odpowiedzi. //Landuss Odnośnik do komentarza
Rekomendowane odpowiedzi