GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-09-26 16:32:03 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts2Port3Path0Target0Lun0 SAMSUNG_ rev.CP10 Running: jw2knn6g.exe; Driver: D:\DOCUME~1\DONIGU~1\USTAWI~1\Temp\axkdyfog.sys ---- System - GMER 1.0.15 ---- SSDT \??\D:\Program Files\Netia\Bezpieczny Internet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcess [0xB823ACC6] SSDT \??\D:\Program Files\Netia\Bezpieczny Internet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcessEx [0xB823ACE0] SSDT \??\D:\Program Files\Netia\Bezpieczny Internet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateThread [0xB8239E7C] SSDT \??\D:\Program Files\Netia\Bezpieczny Internet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwLoadDriver [0xB823A1AC] SSDT \??\D:\Program Files\Netia\Bezpieczny Internet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwMapViewOfSection [0xB8239BBC] SSDT \??\D:\Program Files\Netia\Bezpieczny Internet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwOpenSection [0xB823A5DE] SSDT \??\D:\Program Files\Netia\Bezpieczny Internet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwRenameKey [0xB823B87C] SSDT \??\D:\Program Files\Netia\Bezpieczny Internet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSetSystemInformation [0xB823A42E] SSDT \??\D:\Program Files\Netia\Bezpieczny Internet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendProcess [0xB8239A3C] SSDT \??\D:\Program Files\Netia\Bezpieczny Internet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendThread [0xB8239EB0] SSDT \??\D:\Program Files\Netia\Bezpieczny Internet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSystemDebugControl [0xB823A032] SSDT \??\D:\Program Files\Netia\Bezpieczny Internet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateProcess [0xB8239996] SSDT \??\D:\Program Files\Netia\Bezpieczny Internet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateThread [0xB8239AF6] SSDT \??\D:\Program Files\Netia\Bezpieczny Internet\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwWriteVirtualMemory [0xB8239F76] Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FBD 80504849 7 Bytes [9E, 23, B8, 32, A0, 23, B8] {SAHF ; AND EDI, [EAX-0x47dc5fce]} PAGE ntkrnlpa.exe!IoCreateDevice 805758EE 5 Bytes JMP B7DF7FFA fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENPNP NDIS.SYS!NdisRegisterProtocol B7DC817F 5 Bytes JMP B7DF7E0C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENPNP NDIS.SYS!NdisOpenAdapter B7DC8399 5 Bytes JMP B7DF8394 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENPNP NDIS.SYS!NdisCloseAdapter B7DD2642 5 Bytes JMP B7DF7F18 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENPNP NDIS.SYS!NdisDeregisterProtocol B7DD2821 5 Bytes JMP B7DF81B0 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisReturnPackets B7DD5810 5 Bytes JMP B7DF8C0C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisRequest B7DD597B 5 Bytes JMP B7DF85AC fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisSend B7DD8986 5 Bytes JMP B7DF958C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisSendPackets B7DD89A3 5 Bytes JMP B7DF965E fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisTransferData B7DD89BE 5 Bytes JMP B7DF8D0A fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDCO NDIS.SYS!NdisCoCreateVc B7DDF186 5 Bytes JMP B7DF7E76 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDCO NDIS.SYS!NdisCoDeleteVc B7DE0557 5 Bytes JMP B7DF7EE4 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDCO NDIS.SYS!NdisCoSendPackets B7DE0AF1 5 Bytes JMP B7DF9376 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) .text D:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6FE53C0, 0x95B7EA, 0xE8000020] .text D:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA84B4300, 0x3AE88, 0xE8000020] .text D:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8378300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text D:\WINDOWS\system32\nvsvc32.exe[392] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 00C1000C .text D:\WINDOWS\system32\nvsvc32.exe[392] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes JMP 00C1100C .text D:\WINDOWS\system32\nvsvc32.exe[392] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C1200C .text D:\WINDOWS\system32\nvsvc32.exe[392] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00C1300C .text D:\WINDOWS\system32\nvsvc32.exe[392] ADVAPI32.dll!CloseServiceHandle 77DD6CC5 5 Bytes JMP 00C1700C .text D:\WINDOWS\system32\nvsvc32.exe[392] ADVAPI32.dll!OpenServiceW 77DD6FDD 5 Bytes JMP 00C1500C .text D:\WINDOWS\system32\nvsvc32.exe[392] ADVAPI32.dll!ControlService 77DE49DD 5 Bytes JMP 00C1600C .text D:\WINDOWS\system32\nvsvc32.exe[392] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 00C1800C .text D:\WINDOWS\system32\nvsvc32.exe[392] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00C1400C .text D:\WINDOWS\system32\nvsvc32.exe[392] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00C1A00C .text D:\WINDOWS\system32\nvsvc32.exe[392] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00C1900C .text D:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[508] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 0125000C .text D:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[508] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes JMP 0125100C .text D:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0125200C .text D:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[508] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 0125300C .text D:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[508] ADVAPI32.dll!CloseServiceHandle 77DD6CC5 5 Bytes JMP 0125700C .text D:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[508] ADVAPI32.dll!OpenServiceW 77DD6FDD 5 Bytes JMP 0125500C .text D:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[508] ADVAPI32.dll!ControlService 77DE49DD 5 Bytes JMP 0125600C .text D:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[508] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 0125800C .text D:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[508] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0125400C .text D:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[508] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0125A00C .text D:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[508] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 0125900C .text D:\WINDOWS\system32\winlogon.exe[788] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 011B000C .text D:\WINDOWS\system32\winlogon.exe[788] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes JMP 011B100C .text D:\WINDOWS\system32\winlogon.exe[788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011B200C .text D:\WINDOWS\system32\winlogon.exe[788] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 011B300C .text D:\WINDOWS\system32\winlogon.exe[788] ADVAPI32.dll!CloseServiceHandle 77DD6CC5 5 Bytes JMP 011B700C .text D:\WINDOWS\system32\winlogon.exe[788] ADVAPI32.dll!OpenServiceW 77DD6FDD 5 Bytes JMP 011B500C .text D:\WINDOWS\system32\winlogon.exe[788] ADVAPI32.dll!ControlService 77DE49DD 5 Bytes JMP 011B600C .text D:\WINDOWS\system32\winlogon.exe[788] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 011B800C .text D:\WINDOWS\system32\winlogon.exe[788] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 011B400C .text D:\WINDOWS\system32\winlogon.exe[788] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 011BA00C .text D:\WINDOWS\system32\winlogon.exe[788] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 011B900C .text D:\WINDOWS\system32\lsass.exe[892] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 00FA000C .text D:\WINDOWS\system32\lsass.exe[892] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes JMP 00FA100C .text D:\WINDOWS\system32\lsass.exe[892] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FA200C .text D:\WINDOWS\system32\lsass.exe[892] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00FA300C .text D:\WINDOWS\system32\lsass.exe[892] ADVAPI32.dll!CloseServiceHandle 77DD6CC5 5 Bytes JMP 00FA700C .text D:\WINDOWS\system32\lsass.exe[892] ADVAPI32.dll!OpenServiceW 77DD6FDD 5 Bytes JMP 00FA500C .text D:\WINDOWS\system32\lsass.exe[892] ADVAPI32.dll!ControlService 77DE49DD 5 Bytes JMP 00FA600C .text D:\WINDOWS\system32\lsass.exe[892] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 00FA800C .text D:\WINDOWS\system32\lsass.exe[892] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00FA400C .text D:\WINDOWS\system32\lsass.exe[892] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00FAA00C .text D:\WINDOWS\system32\lsass.exe[892] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00FA900C .text d:\program files\idt\v114_ecs_d_6207.2v7_6099.8xp_g2.0v_rc_sdc\wdm\STacSV.exe[1656] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 02E4000C .text d:\program files\idt\v114_ecs_d_6207.2v7_6099.8xp_g2.0v_rc_sdc\wdm\STacSV.exe[1656] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes JMP 02E4100C .text d:\program files\idt\v114_ecs_d_6207.2v7_6099.8xp_g2.0v_rc_sdc\wdm\STacSV.exe[1656] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02E4200C .text d:\program files\idt\v114_ecs_d_6207.2v7_6099.8xp_g2.0v_rc_sdc\wdm\STacSV.exe[1656] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 02E4300C .text d:\program files\idt\v114_ecs_d_6207.2v7_6099.8xp_g2.0v_rc_sdc\wdm\STacSV.exe[1656] ADVAPI32.dll!CloseServiceHandle 77DD6CC5 5 Bytes JMP 02E4700C .text d:\program files\idt\v114_ecs_d_6207.2v7_6099.8xp_g2.0v_rc_sdc\wdm\STacSV.exe[1656] ADVAPI32.dll!OpenServiceW 77DD6FDD 5 Bytes JMP 02E4500C .text d:\program files\idt\v114_ecs_d_6207.2v7_6099.8xp_g2.0v_rc_sdc\wdm\STacSV.exe[1656] ADVAPI32.dll!ControlService 77DE49DD 5 Bytes JMP 02E4600C .text d:\program files\idt\v114_ecs_d_6207.2v7_6099.8xp_g2.0v_rc_sdc\wdm\STacSV.exe[1656] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 02E4800C .text d:\program files\idt\v114_ecs_d_6207.2v7_6099.8xp_g2.0v_rc_sdc\wdm\STacSV.exe[1656] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 02E4400C .text d:\program files\idt\v114_ecs_d_6207.2v7_6099.8xp_g2.0v_rc_sdc\wdm\STacSV.exe[1656] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 02E4A00C .text d:\program files\idt\v114_ecs_d_6207.2v7_6099.8xp_g2.0v_rc_sdc\wdm\STacSV.exe[1656] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 02E4900C .text D:\WINDOWS\System32\alg.exe[1976] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 00BA000C .text D:\WINDOWS\System32\alg.exe[1976] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes JMP 00BA100C .text D:\WINDOWS\System32\alg.exe[1976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA200C .text D:\WINDOWS\System32\alg.exe[1976] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00BA300C .text D:\WINDOWS\System32\alg.exe[1976] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00BA400C .text D:\WINDOWS\System32\alg.exe[1976] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00BAA00C .text D:\WINDOWS\System32\alg.exe[1976] ADVAPI32.dll!CloseServiceHandle 77DD6CC5 5 Bytes JMP 00BA700C .text D:\WINDOWS\System32\alg.exe[1976] ADVAPI32.dll!OpenServiceW 77DD6FDD 5 Bytes JMP 00BA500C .text D:\WINDOWS\System32\alg.exe[1976] ADVAPI32.dll!ControlService 77DE49DD 5 Bytes JMP 00BA600C .text D:\WINDOWS\System32\alg.exe[1976] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 00BA800C .text D:\WINDOWS\System32\alg.exe[1976] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00BA900C .text D:\Program Files\VDOTool\TBPanel.exe[2204] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 00B1000C .text D:\Program Files\VDOTool\TBPanel.exe[2204] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes JMP 00B1100C .text D:\Program Files\VDOTool\TBPanel.exe[2204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B1200C .text D:\Program Files\VDOTool\TBPanel.exe[2204] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00B1300C .text D:\Program Files\VDOTool\TBPanel.exe[2204] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00B1400C .text D:\Program Files\VDOTool\TBPanel.exe[2204] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00B1A00C .text D:\Program Files\VDOTool\TBPanel.exe[2204] ADVAPI32.dll!CloseServiceHandle 77DD6CC5 5 Bytes JMP 00B1700C .text D:\Program Files\VDOTool\TBPanel.exe[2204] ADVAPI32.dll!OpenServiceW 77DD6FDD 5 Bytes JMP 00B1500C .text D:\Program Files\VDOTool\TBPanel.exe[2204] ADVAPI32.dll!ControlService 77DE49DD 5 Bytes JMP 00B1600C .text D:\Program Files\VDOTool\TBPanel.exe[2204] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 00B1800C .text D:\Program Files\VDOTool\TBPanel.exe[2204] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00B1900C .text D:\Program Files\IDT\WDM\sttray.exe[3020] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 009E000C .text D:\Program Files\IDT\WDM\sttray.exe[3020] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes JMP 009E100C .text D:\Program Files\IDT\WDM\sttray.exe[3020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009E200C .text D:\Program Files\IDT\WDM\sttray.exe[3020] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 009E300C .text D:\Program Files\IDT\WDM\sttray.exe[3020] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 009E400C .text D:\Program Files\IDT\WDM\sttray.exe[3020] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 009EA00C .text D:\Program Files\IDT\WDM\sttray.exe[3020] ADVAPI32.dll!CloseServiceHandle 77DD6CC5 5 Bytes JMP 009E700C .text D:\Program Files\IDT\WDM\sttray.exe[3020] ADVAPI32.dll!OpenServiceW 77DD6FDD 5 Bytes JMP 009E500C .text D:\Program Files\IDT\WDM\sttray.exe[3020] ADVAPI32.dll!ControlService 77DE49DD 5 Bytes JMP 009E600C .text D:\Program Files\IDT\WDM\sttray.exe[3020] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 009E800C .text D:\Program Files\IDT\WDM\sttray.exe[3020] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 009E900C .text D:\WINDOWS\system32\RUNDLL32.EXE[3028] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 00A1000C .text D:\WINDOWS\system32\RUNDLL32.EXE[3028] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes JMP 00A1100C .text D:\WINDOWS\system32\RUNDLL32.EXE[3028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A1200C .text D:\WINDOWS\system32\RUNDLL32.EXE[3028] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00A1300C .text D:\WINDOWS\system32\RUNDLL32.EXE[3028] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00A1400C .text D:\WINDOWS\system32\RUNDLL32.EXE[3028] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00A1A00C .text D:\WINDOWS\system32\RUNDLL32.EXE[3028] ADVAPI32.dll!CloseServiceHandle 77DD6CC5 5 Bytes JMP 00A1700C .text D:\WINDOWS\system32\RUNDLL32.EXE[3028] ADVAPI32.dll!OpenServiceW 77DD6FDD 5 Bytes JMP 00A1500C .text D:\WINDOWS\system32\RUNDLL32.EXE[3028] ADVAPI32.dll!ControlService 77DE49DD 5 Bytes JMP 00A1600C .text D:\WINDOWS\system32\RUNDLL32.EXE[3028] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 00A1800C .text D:\WINDOWS\system32\RUNDLL32.EXE[3028] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00A1900C .text D:\WINDOWS\system32\rundll32.exe[3072] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 00A1000C .text D:\WINDOWS\system32\rundll32.exe[3072] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes JMP 00A1100C .text D:\WINDOWS\system32\rundll32.exe[3072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A1200C .text D:\WINDOWS\system32\rundll32.exe[3072] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00A1300C .text D:\WINDOWS\system32\rundll32.exe[3072] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00A1400C .text D:\WINDOWS\system32\rundll32.exe[3072] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00A1A00C .text D:\WINDOWS\system32\rundll32.exe[3072] ADVAPI32.dll!CloseServiceHandle 77DD6CC5 5 Bytes JMP 00A1700C .text D:\WINDOWS\system32\rundll32.exe[3072] ADVAPI32.dll!OpenServiceW 77DD6FDD 5 Bytes JMP 00A1500C .text D:\WINDOWS\system32\rundll32.exe[3072] ADVAPI32.dll!ControlService 77DE49DD 5 Bytes JMP 00A1600C .text D:\WINDOWS\system32\rundll32.exe[3072] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 00A1800C .text D:\WINDOWS\system32\rundll32.exe[3072] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00A1900C .text D:\WINDOWS\Explorer.EXE[4060] ntdll.dll!NtCreateProcess 7C90D130 5 Bytes JMP 00A4000C .text D:\WINDOWS\Explorer.EXE[4060] ntdll.dll!NtCreateProcessEx 7C90D140 5 Bytes JMP 00A4100C .text D:\WINDOWS\Explorer.EXE[4060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A4200C .text D:\WINDOWS\Explorer.EXE[4060] kernel32.dll!TerminateThread 7C81CB23 5 Bytes JMP 00A4300C .text D:\WINDOWS\Explorer.EXE[4060] ADVAPI32.dll!CloseServiceHandle 77DD6CC5 5 Bytes JMP 00A4700C .text D:\WINDOWS\Explorer.EXE[4060] ADVAPI32.dll!OpenServiceW 77DD6FDD 5 Bytes JMP 00A4500C .text D:\WINDOWS\Explorer.EXE[4060] ADVAPI32.dll!ControlService 77DE49DD 5 Bytes JMP 00A4600C .text D:\WINDOWS\Explorer.EXE[4060] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 00A4800C .text D:\WINDOWS\Explorer.EXE[4060] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00A4400C .text D:\WINDOWS\Explorer.EXE[4060] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00A4A00C .text D:\WINDOWS\Explorer.EXE[4060] ole32.dll!CoCreateInstanceEx 774F0526 5 Bytes JMP 00A4900C ---- Devices - GMER 1.0.15 ---- Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015833d0a57 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015833d0a57@48dcfbf9ea59 0xB4 0xB6 0x61 0xCA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015833d0a57@3c438e79fc69 0x6A 0xB0 0xBB 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015833d0a57@1c62b854f6a7 0x23 0xDC 0x95 0xB8 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015833d0a57 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015833d0a57@48dcfbf9ea59 0xB4 0xB6 0x61 0xCA ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015833d0a57@3c438e79fc69 0x6A 0xB0 0xBB 0x47 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015833d0a57@1c62b854f6a7 0x23 0xDC 0x95 0xB8 ... ---- EOF - GMER 1.0.15 ----