GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-02-28 21:18:08 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 SAMSUNG_HD103SJ rev.1AJ100E4 Running: wdglx5mf.exe; Driver: C:\Users\MIKOAJ~1\AppData\Local\Temp\uwliypog.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 8385C369 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83895D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .xreloc C:\Windows\system32\drivers\ps6aj6ec.sys unknown last section [0x8CF64000, 0x8DA, 0x40000040] .text tdx.sys 9206E000 15 Bytes [00, 00, 00, 00, 00, 00, 8B, ...] .text tdx.sys 9206E010 2 Bytes [FF, 75] .text tdx.sys 9206E013 86 Bytes [6A, 2B, FF, 75, 0C, FF, 75, ...] .text tdx.sys 9206E06A 176 Bytes [51, 6A, 02, 50, 6A, 04, 8D, ...] .text tdx.sys 9206E11B 84 Bytes [6A, 04, 8D, 45, 28, 50, 6A, ...] .text ... ? C:\Windows\system32\DRIVERS\tdx.sys suspicious PE modification .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x821A5300, 0x3B6D8, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9FA00300, 0x1BEE, 0xE8000020] .text C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl section is writeable [0x9FEAF000, 0x2892, 0xE8000020] .vmp2 C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl entry point in ".vmp2" section [0x9FED2050] PAGE spsys.sys!?SPRevision@@3PADA + 4F90 9FF37000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 9FF37123 629 Bytes [25, F3, 9F, FE, 05, 34, 25, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 9FF37399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F 9FF373FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE spsys.sys!?SPRevision@@3PADA + 543B 9FF374AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...] PAGE ... ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtProtectVirtualMemory 77575F18 5 Bytes JMP 0110000A .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!NtWriteVirtualMemory 77576A98 5 Bytes JMP 0111000A .text C:\Windows\system32\svchost.exe[1032] ntdll.dll!KiUserExceptionDispatcher 77576FE8 5 Bytes JMP 00F5000A ? C:\Windows\system32\svchost.exe[1032] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 83EC8B55 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 458D74EC IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] 15FF50F8 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] [00A7F014] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] 01FC7531 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] 458DF875 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 15FF508C IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] [00A7F004] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 458D086A IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 458D50F8 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] 15FF508C IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] [00A7F000] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 508C458D IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] F00815FF IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 458B00A7 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] E84533E4 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtFlushKey] 33EC4533 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] C3C9F045 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 8BEC8B55 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] EC833040 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareMemory] 57565314 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeviceIoControlFile] D98B388B IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] EB04708D IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] 46B70F20 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] 30448D1A IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] F0F0681C IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 4F5000A7 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 00DCAFE8 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 85595900 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] 811374C0 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] 00011CC6 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] [75FF8500] C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] 5FC033DC IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] C2C95B5E IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 468B0008 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] F4458908 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] 8B0C468B IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 45890473 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] [74F685F0] C:\Windows\system32\schannel.DLL (TLS / SSL Security Provider/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] D8BB8D77 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] 57000000 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] A8015068 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 8D426A00 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 4E50FC45 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] F0E015FF IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] C08500A7 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 458D537C IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 046A50EC IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] 50F8458D IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] [75FF096A] C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] DC15FFFC IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] 8500A7F0 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8B317CC0 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 452BF845 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] F0453BF4 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] 006A2673 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] FFFC75FF IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] A7F0D415 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 7CC08500 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] 0C4D8B17 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 1F8B018B IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 8908558B IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] 5F8BC21C IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindSetBits] C25C8904 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInterlockedSetBitRun] 01894004 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] FFFC75FF IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] A7F0D815 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] 40C78300 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 8F75F685 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] E940C033 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] FFFFFF67 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] 51EC8B55 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] 0173A051 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 565300A8 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] C0BE0F57 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 7D89FF33 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] DC2AE8F8 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] DC8B0000 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSerializeBoot] 45C7F633 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 001000FC IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] FC458B00 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 0F73F83B IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 11E8C72B IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 8B0000DC IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 2BC38BF4 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 8DF88BC6 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] 5750FC45 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] FF056A56 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] A7F0D015 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 00043D00 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] D574C000 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 047DC085 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] 60EBC033 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] F003C033 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 468D016A IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!TpReleaseWork] 18685038 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!TpPostWork] FF00A7F1 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocWork] A7F0CC15 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] [75C08400] C:\Windows\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 85068B08 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] EBE375C0 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] 68006A3C IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 00040000 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] F07415FF IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] F88B00A7 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 2974FF85 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] FF016A57 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] 15FF4476 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] [00A7F020] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] 127CC085 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 8B0C75FF IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] 0875FFCE IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] 81E8C78B IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 89FFFFFE IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] FF57F845 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] A7F02415 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!TpSetPoolMinThreads] F8458B00 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] 5FEC658D IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] C2C95B5E IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] 8B550008 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 3CEC81EC IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 56000002 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] E856F08B IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] 0000DB36 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] 00803D59 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] 870F0000 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] 000000AC IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] 0F2E3E80 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] 0000A384 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 858D5600 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] FFFFFDC8 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] A7F12068 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] 15FF5000 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] [00A7F02C] C:\Windows\system32\smss.exe (Menedżer sesji systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] FDC8858D IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] 2E6AFFFF IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] DB06E850 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] C4830000 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] 74C08514 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] 66C9337B IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocAlpcCompletion] C0830889 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!TpAllocPool] F1906802 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] E85000A7 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] 0000DAF2 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] C0855959 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 858D6275 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] FFFFFDC8 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] CC758D50 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] 000DFFE8 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 19685000 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] 8D000200 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] FF50FC45 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] A7F03815 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsnicmp] 7CC08500 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] EC458D3F IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] 50106A50 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 2868026A IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] FF00A7F2 IAT C:\Windows\system32\svchost.exe[1032] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] F633FC75 IAT C:\Windows\Explorer.EXE[2396] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73F02437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2396] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73EE5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2396] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73EE56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2396] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73F024B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2396] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73EF8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2396] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73EF4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2396] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73EF506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2396] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73EF5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2396] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73EF6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2396] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73EF826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2396] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73EF87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2396] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73EF901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2396] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73EFE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2396] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73EF4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\tdx \Device\Tcp [92078FAA] \SystemRoot\system32\DRIVERS\tdx.sys[unknown section] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; MOV EDX, [EBP+0xc]; MOV EAX, [EBP+0x8]} Device \Driver\ACPI_HAL \Device\00000057 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\tdx \Device\Udp [92078FAA] \SystemRoot\system32\DRIVERS\tdx.sys[unknown section] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; MOV EDX, [EBP+0xc]; MOV EAX, [EBP+0x8]} Device \Driver\tdx \Device\RawIp [92078FAA] \SystemRoot\system32\DRIVERS\tdx.sys[unknown section] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; MOV EDX, [EBP+0xc]; MOV EAX, [EBP+0x8]} ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) 9FEDA000-9FEEA000 (65536 bytes) ---- Processes - GMER 1.0.15 ---- Process C:\Windows\System32\ping.exe (*** hidden *** ) 4448 ---- Registry - GMER 1.0.15 ---- Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Mikołaj\Desktop\\xa0\Programy\zp600pro.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Mikołaj\Desktop\\xa0\Metin2modpl_.exe 1 ---- Files - GMER 1.0.15 ---- File C:\Windows\$NtUninstallKB5202$\2045275578 0 bytes File C:\Windows\$NtUninstallKB5202$\2045275578\@ 2048 bytes File C:\Windows\$NtUninstallKB5202$\2045275578\cfg.ini 204 bytes File C:\Windows\$NtUninstallKB5202$\2045275578\Desktop.ini 4608 bytes File C:\Windows\$NtUninstallKB5202$\2045275578\L 0 bytes File C:\Windows\$NtUninstallKB5202$\2045275578\L\xadqgnnk 74752 bytes File C:\Windows\$NtUninstallKB5202$\2045275578\twl.dll 223744 bytes File C:\Windows\$NtUninstallKB5202$\2045275578\U 0 bytes File C:\Windows\$NtUninstallKB5202$\2045275578\U\00000001.@ 2048 bytes File C:\Windows\$NtUninstallKB5202$\2045275578\U\00000002.@ 224768 bytes File C:\Windows\$NtUninstallKB5202$\2045275578\U\00000004.@ 1024 bytes File C:\Windows\$NtUninstallKB5202$\2045275578\U\80000000.@ 66560 bytes File C:\Windows\$NtUninstallKB5202$\2045275578\U\80000004.@ 12800 bytes File C:\Windows\$NtUninstallKB5202$\2045275578\U\80000032.@ 73216 bytes File C:\Windows\$NtUninstallKB5202$\2045275578\version 842 bytes File C:\Windows\$NtUninstallKB5202$\3461750839 0 bytes ---- EOF - GMER 1.0.15 ----