GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-09-11 22:09:56 Windows 5.1.2600 Dodatek Service Pack 3 Running: i1pfkl6e.exe; Driver: C:\DOCUME~1\jendru\USTAWI~1\Temp\axtdapow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xB7AA536E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xB7AA5A86] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xB7AA660C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateEvent [0xB7AA6B40] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xB7AA5D78] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateKey [0xB7AA4460] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateMutant [0xB7AA6A18] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xB7AA3D0A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreatePort [0xB7AA68D4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSection [0xB7AA5102] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSemaphore [0xB7AA6C72] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB7AA840E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xB7AA5886] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateWaitablePort [0xB7AA6976] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteKey [0xB7AA4A20] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeleteValueKey [0xB7AA4CF8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xB7AA621C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xB7AA8980] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateKey [0xB7AA4E3A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwEnumerateValueKey [0xB7AA4EE4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xB7AA6016] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xB7AA7EA6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey [0xB7AA443C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadKey2 [0xB7AA444E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwNotifyChangeKey [0xB7AA5030] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenEvent [0xB7AA6BE2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xB7AA5B08] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenKey [0xB7AA4604] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenMutant [0xB7AA6AB0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xB7AA556E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xB7AA8438] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSemaphore [0xB7AA6D14] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xB7AA5492] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryKey [0xB7AA4F8E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryMultipleValueKey [0xB7AA4BB6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueryValueKey [0xB7AA48BC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xB7AA8128] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRenameKey [0xB7AA4B34] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xB7AA40C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyPort [0xB7AA709E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0xB7AA6F64] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xB7AA7C30] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xB7AA4224] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xB7AA8860] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xB7AA3EC4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xB7AA6312] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xB7AA5984] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetInformationToken [0xB7AA75F2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xB7AA7FA0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xB7AA84C2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetValueKey [0xB7AA4744] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xB7AA85A6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xB7AA86D2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xB7AA7DD2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xB7AA56EA] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xB7AA563C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xB7AA57C8] Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF84 5 Bytes JMP B7A9A424 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) .text ntkrnlpa.exe!IoIsOperationSynchronous 804EF912 5 Bytes JMP B7A9A7DE \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) .text ntkrnlpa.exe!ZwCallbackReturn + 2C8C 80504528 16 Bytes [02, 51, AA, B7, 72, 6C, AA, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2D48 805045E4 12 Bytes [A6, 7E, AA, B7, 3C, 44, AA, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2EC4 80504760 16 Bytes [34, 4B, AA, B7, C2, 40, AA, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 12 Bytes [A6, 85, AA, B7, D2, 86, AA, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FC8 80504864 8 Bytes JMP 3CB7AA56 PAGE Ntfs.sys B9D7EE55 4 Bytes CALL 89A48FE1 .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9927360, 0x24BBAD, 0xE8000020] .text C:\WINDOWS\system32\drivers\aec.sys section is writeable [0xB5ECC280, 0x6B020, 0xE0000020] ? C:\WINDOWS\system32\drivers\aec.sys Urządzenie podłączone do komputera nie działa. ---- User code sections - GMER 1.0.15 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[884] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[884] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[884] USER32.dll!AlignRects + FFFA5598 7E362A78 4 Bytes [70, 11, 32, 6D] ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1552] C:\WINDOWS\system32\ntdll.dll time/date stamp mismatch; ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1552] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe[1552] USER32.dll!AlignRects + FFFA5598 7E362A78 4 Bytes [70, 11, 32, 6D] ? C:\WINDOWS\System32\svchost.exe[2316] image checksum mismatch; time/date stamp mismatch; ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] [77DC7ABB] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] [77DC7852] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] [77DCEAE7] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] [77DEBCF3] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [77DCEFC8] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] [77DC6C27] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] [7C9100C4] C:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] [7C80AC61] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] [7C90FF2D] C:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] [7C80236B] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] [7C834D41] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] [7C809BE7] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] [7C810E27] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] [7C8328F7] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] [7C8641E9] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] [7C802213] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] [7C809B12] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] [7C8021D0] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] [7C83970D] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7C80BEA1] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] [7C814B92] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] [7C812B7E] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [7C90FE21] C:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] [7C80E9DF] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] [7C802530] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] [7C802446] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] [7C8106D7] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] [7C801E1A] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] [7C80DE95] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] [7C8645AA] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] [71A55355] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [71A52EAD] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] [71A52E53] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] [71A5676F] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] [71A53E2B] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] [71A54A07] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] [71A54211] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] [71A54C27] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] [71A53FED] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] [71A56A55] C:\WINDOWS\System32\WS2_32.dll (Windows Socket 2.0 32-Bit DLL/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] [7C902645] C:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 4C592851 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] 00000000 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] 00000002 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 00000052 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 000012B4 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 000006B4 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 00000020 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 00004E42 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 005C3A43 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 74737953 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 69426D65 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 6164736F IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 00006574 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 44524148 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 45524157 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 50495243 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 4E4F4954 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 7379535C IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 006D6574 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] 65646956 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 6F69426F IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 74614473 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 00000065 IAT C:\WINDOWS\System32\svchost.exe[2316] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 6E656449 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89A48F80 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\drivers\aec.sys (*** hidden *** ) [MANUAL] aec <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\aec@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aec@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\aec@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aec@ImagePath system32\drivers\aec.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\aec@DisplayName Microsoft Kernel Acoustic Echo Canceller Reg HKLM\SYSTEM\CurrentControlSet\Services\aec\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\aec\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\ControlSet002\Services\aec@Type 1 Reg HKLM\SYSTEM\ControlSet002\Services\aec@Start 3 Reg HKLM\SYSTEM\ControlSet002\Services\aec@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\Services\aec@ImagePath system32\drivers\aec.sys Reg HKLM\SYSTEM\ControlSet002\Services\aec@DisplayName Microsoft Kernel Acoustic Echo Canceller Reg HKLM\SYSTEM\ControlSet002\Services\aec\Security (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\aec\Security@Security 0x01 0x00 0x14 0x80 ... ---- EOF - GMER 1.0.15 ----