GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-02-25 08:27:01 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 Hitachi_HTS542580K9SA00 rev.BBBOC31P Running: whk19gqt.exe; Driver: C:\Users\Admin\AppData\Local\Temp\aglorpod.sys ---- Kernel code sections - GMER 1.0.15 ---- .text i8042prt.sys 8B730000 28 Bytes [90, 90, 90, 90, 90, FF, 25, ...] .text i8042prt.sys 8B73001D 5 Bytes [6C, 24, 10, 8D, 6C] .text i8042prt.sys 8B730023 33 Bytes [10, 2B, E0, 53, 56, 57, A1, ...] .text i8042prt.sys 8B730045 36 Bytes [45, F8, 8D, 45, F0, 64, A3, ...] .text i8042prt.sys 8B73006A 1 Byte [57] .text ... ? C:\Windows\system32\DRIVERS\i8042prt.sys suspicious PE modification ---- User code sections - GMER 1.0.15 ---- ? C:\Windows\system32\svchost.exe[976] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!KfLowerIrql] 90909090 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!KeGetCurrentIrql] 55FF8B90 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!KfRaiseIrql] EC83EC8B ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] 83EC8B55 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] 458D74EC IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] 15FF50F8 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] [00DEF014] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 01FC7531 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] 458DF875 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 15FF508C IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] [00DEF004] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] 458D086A IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 458D50F8 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 15FF508C IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] [00DEF000] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] 508C458D IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] F00815FF IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 458B00DE IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] E84533E4 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 33EC4533 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] C3C9F045 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] 8BEC8B55 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] EC833040 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] 57565314 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] D98B388B IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] EB04708D IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] 46B70F20 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] 30448D1A IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] F0F0681C IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] 4F5000DE IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] 00DCAFE8 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 85595900 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 811374C0 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] 00011CC6 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] [75FF8500] C:\Windows\system32\RPCRT4.dll (Czas wykonania zdalnego wywoływania procedury/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] 5FC033DC IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] C2C95B5E IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 468B0008 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] F4458908 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] 8B0C468B IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] 45890473 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] [74F685F0] C:\Windows\system32\UxTheme.dll (Biblioteka Microsoft UxTheme/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNumberOfSetBitsUlongPtr] D8BB8D77 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 57000000 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] DF015068 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] 8D426A00 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 4E50FC45 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] F0E015FF IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] C08500DE IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] 458D537C IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] 046A50EC IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] 50F8458D IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] [75FF096A] C:\Windows\system32\RPCRT4.dll (Czas wykonania zdalnego wywoływania procedury/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] DC15FFFC IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] 8500DEF0 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] 8B317CC0 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 452BF845 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] F0453BF4 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] 006A2673 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] FFFC75FF IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] DEF0D415 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 7CC08500 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] 0C4D8B17 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 1F8B018B IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] 8908558B IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] 5F8BC21C IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] C25C8904 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] 01894004 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] FFFC75FF IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] DEF0D815 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] 40C78300 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 8F75F685 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] E940C033 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] FFFFFF67 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 51EC8B55 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] 0173A051 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] 565300DF IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] C0BE0F57 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 7D89FF33 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] DC2AE8F8 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] DC8B0000 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] 45C7F633 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 001000FC IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] FC458B00 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 0F73F83B IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] 11E8C72B IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] 8B0000DC IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 2BC38BF4 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] 8DF88BC6 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 5750FC45 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] FF056A56 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] DEF0D015 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 00043D00 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] D574C000 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] 047DC085 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] 60EBC033 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] F003C033 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] 468D016A IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] 18685038 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserThread] FF00DEF1 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] DEF0CC15 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] [75C08400] c:\windows\system32\AUTHZ.dll (Authorization Framework/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 85068B08 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] EBE375C0 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] 68006A3C IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 00040000 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] F07415FF IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] F88B00DE IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] 2974FF85 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] FF016A57 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] 15FF4476 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] [00DEF020] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 127CC085 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] 8B0C75FF IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] 0875FFCE IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExitUserThread] 81E8C78B IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] 89FFFFFE IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] FF57F845 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] DEF02415 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] F8458B00 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] 5FEC658D IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] C2C95B5E IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] 8B550008 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] 3CEC81EC IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] 56000002 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] E856F08B IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] 0000DB36 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] 00803D59 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 870F0000 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] 000000AC IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] 0F2E3E80 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] 0000A384 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] 858D5600 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] FFFFFDC8 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] DEF12068 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] 15FF5000 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] [00DEF02C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] FDC8858D IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] 2E6AFFFF IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] DB06E850 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] C4830000 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] 74C08514 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] 66C9337B IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] C0830889 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] F1906802 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] E85000DE IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] 0000DAF2 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] C0855959 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] 858D6275 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgBreakPoint] FFFFFDC8 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] CC758D50 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] 000DFFE8 IAT C:\Windows\system32\svchost.exe[976] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] 19685000 ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) A84D5000-A84E5000 (65536 bytes) ---- Threads - GMER 1.0.15 ---- Thread System [4:272] A84D9930 ---- Files - GMER 1.0.15 ---- File C:\Windows\$NtUninstallKB29254$\4142695594 0 bytes File C:\Windows\$NtUninstallKB29254$\4142695594\@ 2048 bytes File C:\Windows\$NtUninstallKB29254$\4142695594\cfg.ini 204 bytes File C:\Windows\$NtUninstallKB29254$\4142695594\Desktop.ini 4608 bytes File C:\Windows\$NtUninstallKB29254$\4142695594\L 0 bytes File C:\Windows\$NtUninstallKB29254$\4142695594\L\ogejidap 54784 bytes File C:\Windows\$NtUninstallKB29254$\4142695594\U 0 bytes File C:\Windows\$NtUninstallKB29254$\4240405281 0 bytes ---- EOF - GMER 1.0.15 ----