GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-23 23:39:10 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0 INTEL_SS rev.4PC1 Running: xe9zbx6t.exe; Driver: C:\DOCUME~1\Artur\USTAWI~1\Temp\uwldapob.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB23223C0, 0x95B7EA, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [87, 71] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8D, 71] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [84, 71] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [8A, 71] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [81, 71] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [90, 71] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B50001 .text C:\WINDOWS\system32\RUNDLL32.EXE[436] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 719A0F5A .text C:\WINDOWS\system32\RUNDLL32.EXE[436] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 71A00F5A .text C:\WINDOWS\system32\RUNDLL32.EXE[436] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719D0F5A .text C:\WINDOWS\system32\RUNDLL32.EXE[436] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A5, 71] .text C:\WINDOWS\system32\RUNDLL32.EXE[436] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A30F5A .text C:\WINDOWS\system32\RUNDLL32.EXE[436] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AC0F5A .text C:\WINDOWS\system32\RUNDLL32.EXE[436] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A90F5A .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 71970F5A .text C:\WINDOWS\system32\RUNDLL32.EXE[436] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 71940F5A .text C:\WINDOWS\system32\RUNDLL32.EXE[436] WS2_32.dll!GetAddrInfoW 00E12899 6 Bytes JMP 717F0F5A .text C:\WINDOWS\system32\RUNDLL32.EXE[436] WS2_32.dll!connect 00E14A07 6 Bytes JMP 717A0F5A .text C:\WINDOWS\system32\RUNDLL32.EXE[436] WS2_32.dll!gethostbyname 00E15355 6 Bytes JMP 716A0F5A .text C:\WINDOWS\system32\RUNDLL32.EXE[436] WS2_32.dll!listen 00E18CD3 6 Bytes JMP 71760F5A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [87, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8D, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [84, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [8A, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [81, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [90, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B20001 .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 71970F5A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 71940F5A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 719A0F5A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 71A00F5A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719D0F5A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A5, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A30F5A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AC0F5A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A90F5A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] WS2_32.dll!GetAddrInfoW 00C62899 6 Bytes JMP 71760F5A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] WS2_32.dll!connect 00C64A07 6 Bytes JMP 717F0F5A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] WS2_32.dll!gethostbyname 00C65355 6 Bytes JMP 71790F5A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[620] WS2_32.dll!listen 00C68CD3 6 Bytes JMP 717C0F5A .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [7E, 71] {JLE 0x73} .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [84, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [7B, 71] {JNP 0x73} .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [81, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [78, 71] {JS 0x73} .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [87, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[644] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BF0001 .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 718E0F5A .text C:\Program Files\Microsoft Security Client\msseces.exe[644] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 718B0F5A .text C:\Program Files\Microsoft Security Client\msseces.exe[644] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 71910F5A .text C:\Program Files\Microsoft Security Client\msseces.exe[644] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 71970F5A .text C:\Program Files\Microsoft Security Client\msseces.exe[644] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 71940F5A .text C:\Program Files\Microsoft Security Client\msseces.exe[644] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[644] USER32.dll!SendInput + 4 7E37F144 2 Bytes [9C, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[644] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 719A0F5A .text C:\Program Files\Microsoft Security Client\msseces.exe[644] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71A30F5A .text C:\Program Files\Microsoft Security Client\msseces.exe[644] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A00F5A .text C:\WINDOWS\RTHDCPL.EXE[652] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\RTHDCPL.EXE[652] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[652] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [7F, 71] {JG 0x73} .text C:\WINDOWS\RTHDCPL.EXE[652] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[652] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [85, 71] .text C:\WINDOWS\RTHDCPL.EXE[652] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[652] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [7C, 71] {JL 0x73} .text C:\WINDOWS\RTHDCPL.EXE[652] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[652] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [82, 71] .text C:\WINDOWS\RTHDCPL.EXE[652] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[652] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [79, 71] {JNS 0x73} .text C:\WINDOWS\RTHDCPL.EXE[652] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[652] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [88, 71] .text C:\WINDOWS\RTHDCPL.EXE[652] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01DB0001 .text C:\WINDOWS\RTHDCPL.EXE[652] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 718F0F5A .text C:\WINDOWS\RTHDCPL.EXE[652] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 718C0F5A .text C:\WINDOWS\RTHDCPL.EXE[652] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 71920F5A .text C:\WINDOWS\RTHDCPL.EXE[652] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 71980F5A .text C:\WINDOWS\RTHDCPL.EXE[652] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 71950F5A .text C:\WINDOWS\RTHDCPL.EXE[652] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[652] USER32.dll!SendInput + 4 7E37F144 2 Bytes [9D, 71] .text C:\WINDOWS\RTHDCPL.EXE[652] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 719B0F5A .text C:\WINDOWS\RTHDCPL.EXE[652] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71A40F5A .text C:\WINDOWS\RTHDCPL.EXE[652] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A10F5A .text C:\WINDOWS\system32\ctfmon.exe[696] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\ctfmon.exe[696] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[696] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [87, 71] .text C:\WINDOWS\system32\ctfmon.exe[696] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[696] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8D, 71] .text C:\WINDOWS\system32\ctfmon.exe[696] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[696] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [84, 71] .text C:\WINDOWS\system32\ctfmon.exe[696] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[696] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [8A, 71] .text C:\WINDOWS\system32\ctfmon.exe[696] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[696] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [81, 71] .text C:\WINDOWS\system32\ctfmon.exe[696] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[696] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [90, 71] .text C:\WINDOWS\system32\ctfmon.exe[696] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A50001 .text C:\WINDOWS\system32\ctfmon.exe[696] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 71970F5A .text C:\WINDOWS\system32\ctfmon.exe[696] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 71940F5A .text C:\WINDOWS\system32\ctfmon.exe[696] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 719A0F5A .text C:\WINDOWS\system32\ctfmon.exe[696] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 71A00F5A .text C:\WINDOWS\system32\ctfmon.exe[696] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719D0F5A .text C:\WINDOWS\system32\ctfmon.exe[696] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[696] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A5, 71] .text C:\WINDOWS\system32\ctfmon.exe[696] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A30F5A .text C:\WINDOWS\system32\ctfmon.exe[696] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AC0F5A .text C:\WINDOWS\system32\ctfmon.exe[696] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A90F5A .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [87, 71] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8D, 71] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [84, 71] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [8A, 71] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [81, 71] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [90, 71] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AC0001 .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 719A0F5A .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 71A00F5A .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719D0F5A .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A5, 71] .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A30F5A .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AC0F5A .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A90F5A .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 71970F5A .text C:\Documents and Settings\Artur\Pulpit\xe9zbx6t.exe[1264] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 71940F5A .text C:\WINDOWS\system32\taskmgr.exe[1856] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\taskmgr.exe[1856] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\taskmgr.exe[1856] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [78, 71] {JS 0x73} .text C:\WINDOWS\system32\taskmgr.exe[1856] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\taskmgr.exe[1856] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [7E, 71] {JLE 0x73} .text C:\WINDOWS\system32\taskmgr.exe[1856] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\taskmgr.exe[1856] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [75, 71] {JNZ 0x73} .text C:\WINDOWS\system32\taskmgr.exe[1856] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\taskmgr.exe[1856] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [7B, 71] {JNP 0x73} .text C:\WINDOWS\system32\taskmgr.exe[1856] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\taskmgr.exe[1856] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [72, 71] {JB 0x73} .text C:\WINDOWS\system32\taskmgr.exe[1856] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\taskmgr.exe[1856] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [81, 71] .text C:\WINDOWS\system32\taskmgr.exe[1856] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A90001 .text C:\WINDOWS\system32\taskmgr.exe[1856] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 71880F5A .text C:\WINDOWS\system32\taskmgr.exe[1856] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 71850F5A .text C:\WINDOWS\system32\taskmgr.exe[1856] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 718B0F5A .text C:\WINDOWS\system32\taskmgr.exe[1856] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 71910F5A .text C:\WINDOWS\system32\taskmgr.exe[1856] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 718E0F5A .text C:\WINDOWS\system32\taskmgr.exe[1856] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\taskmgr.exe[1856] USER32.dll!SendInput + 4 7E37F144 2 Bytes [96, 71] .text C:\WINDOWS\system32\taskmgr.exe[1856] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71940F5A .text C:\WINDOWS\system32\taskmgr.exe[1856] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 719D0F5A .text C:\WINDOWS\system32\taskmgr.exe[1856] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 719A0F5A .text C:\WINDOWS\system32\taskmgr.exe[1856] WS2_32.dll!GetAddrInfoW 71A52899 6 Bytes JMP 71A00F5A .text C:\WINDOWS\system32\taskmgr.exe[1856] WS2_32.dll!connect 71A54A07 6 Bytes JMP 71AC0F5A .text C:\WINDOWS\system32\taskmgr.exe[1856] WS2_32.dll!gethostbyname 71A55355 6 Bytes JMP 71A30F5A .text C:\WINDOWS\system32\taskmgr.exe[1856] WS2_32.dll!listen 71A58CD3 6 Bytes JMP 71A90F5A .text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [87, 71] .text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8D, 71] .text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [84, 71] .text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [8A, 71] .text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [81, 71] .text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1976] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [90, 71] .text C:\WINDOWS\Explorer.EXE[1976] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C00001 .text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 71970F5A .text C:\WINDOWS\Explorer.EXE[1976] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 71940F5A .text C:\WINDOWS\Explorer.EXE[1976] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 719A0F5A .text C:\WINDOWS\Explorer.EXE[1976] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 71A00F5A .text C:\WINDOWS\Explorer.EXE[1976] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719D0F5A .text C:\WINDOWS\Explorer.EXE[1976] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1976] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A5, 71] .text C:\WINDOWS\Explorer.EXE[1976] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A30F5A .text C:\WINDOWS\Explorer.EXE[1976] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AC0F5A .text C:\WINDOWS\Explorer.EXE[1976] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A90F5A .text C:\WINDOWS\Explorer.EXE[1976] WS2_32.dll!GetAddrInfoW 03202899 6 Bytes JMP 716D0F5A .text C:\WINDOWS\Explorer.EXE[1976] WS2_32.dll!connect 03204A07 6 Bytes JMP 71700F5A .text C:\WINDOWS\Explorer.EXE[1976] WS2_32.dll!gethostbyname 03205355 6 Bytes JMP 71760F5A .text C:\WINDOWS\Explorer.EXE[1976] WS2_32.dll!listen 03208CD3 6 Bytes JMP 71730F5A .text C:\WINDOWS\notepad.exe[3464] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\notepad.exe[3464] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\notepad.exe[3464] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [81, 71] .text C:\WINDOWS\notepad.exe[3464] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\notepad.exe[3464] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [87, 71] .text C:\WINDOWS\notepad.exe[3464] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\notepad.exe[3464] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [7E, 71] {JLE 0x73} .text C:\WINDOWS\notepad.exe[3464] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\notepad.exe[3464] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [84, 71] .text C:\WINDOWS\notepad.exe[3464] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\notepad.exe[3464] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [7B, 71] {JNP 0x73} .text C:\WINDOWS\notepad.exe[3464] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\notepad.exe[3464] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8A, 71] .text C:\WINDOWS\notepad.exe[3464] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A50001 .text C:\WINDOWS\notepad.exe[3464] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 71910F5A .text C:\WINDOWS\notepad.exe[3464] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 718E0F5A .text C:\WINDOWS\notepad.exe[3464] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 71940F5A .text C:\WINDOWS\notepad.exe[3464] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719A0F5A .text C:\WINDOWS\notepad.exe[3464] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 71970F5A .text C:\WINDOWS\notepad.exe[3464] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\notepad.exe[3464] USER32.dll!SendInput + 4 7E37F144 2 Bytes [9F, 71] .text C:\WINDOWS\notepad.exe[3464] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 719D0F5A .text C:\WINDOWS\notepad.exe[3464] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71A60F5A .text C:\WINDOWS\notepad.exe[3464] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A30F5A ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.) ---- EOF - GMER 1.0.15 ----