GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-09 16:17:58 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0 INTEL_SS rev.4PC1 Running: bws6zs5b.exe; Driver: C:\DOCUME~1\Artur\USTAWI~1\Temp\uwldapob.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6F643C0, 0x843A2A, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\Explorer.EXE[168] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\Explorer.EXE[168] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[168] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\WINDOWS\Explorer.EXE[168] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[168] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\WINDOWS\Explorer.EXE[168] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[168] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\WINDOWS\Explorer.EXE[168] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[168] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\WINDOWS\Explorer.EXE[168] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[168] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\WINDOWS\Explorer.EXE[168] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[168] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\WINDOWS\Explorer.EXE[168] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\Explorer.EXE[168] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\WINDOWS\Explorer.EXE[168] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[168] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[168] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\WINDOWS\Explorer.EXE[168] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\WINDOWS\Explorer.EXE[168] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[168] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\WINDOWS\Explorer.EXE[168] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\WINDOWS\Explorer.EXE[168] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\WINDOWS\Explorer.EXE[168] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\WINDOWS\Explorer.EXE[168] WS2_32.dll!GetAddrInfoW 034A2899 6 Bytes JMP 7169000A .text C:\WINDOWS\Explorer.EXE[168] WS2_32.dll!connect 034A4A07 6 Bytes JMP 7175000A .text C:\WINDOWS\Explorer.EXE[168] WS2_32.dll!gethostbyname 034A5355 6 Bytes JMP 716F000A .text C:\WINDOWS\Explorer.EXE[168] WS2_32.dll!listen 034A8CD3 6 Bytes JMP 7172000A .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\Documents and Settings\Artur\Pulpit\bws6zs5b.exe[464] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\Program Files\Microsoft Security Client\msseces.exe[492] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\Program Files\Microsoft Security Client\msseces.exe[492] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\Program Files\Microsoft Security Client\msseces.exe[492] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\Program Files\Microsoft Security Client\msseces.exe[492] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\Program Files\Microsoft Security Client\msseces.exe[492] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[492] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\Program Files\Microsoft Security Client\msseces.exe[492] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\Program Files\Microsoft Security Client\msseces.exe[492] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[504] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\WINDOWS\system32\RunDLL32.exe[532] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\RunDLL32.exe[532] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[532] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\WINDOWS\system32\RunDLL32.exe[532] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[532] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\WINDOWS\system32\RunDLL32.exe[532] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[532] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\WINDOWS\system32\RunDLL32.exe[532] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[532] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\WINDOWS\system32\RunDLL32.exe[532] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[532] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\WINDOWS\system32\RunDLL32.exe[532] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[532] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\WINDOWS\system32\RunDLL32.exe[532] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\system32\RunDLL32.exe[532] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\RunDLL32.exe[532] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\RunDLL32.exe[532] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\RunDLL32.exe[532] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[532] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\WINDOWS\system32\RunDLL32.exe[532] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\WINDOWS\system32\RunDLL32.exe[532] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\WINDOWS\system32\RunDLL32.exe[532] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\WINDOWS\system32\RunDLL32.exe[532] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\RunDLL32.exe[532] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\RunDLL32.exe[532] WS2_32.dll!GetAddrInfoW 00FC2899 6 Bytes JMP 7169000A .text C:\WINDOWS\system32\RunDLL32.exe[532] WS2_32.dll!connect 00FC4A07 6 Bytes JMP 7175000A .text C:\WINDOWS\system32\RunDLL32.exe[532] WS2_32.dll!gethostbyname 00FC5355 6 Bytes JMP 716C000A .text C:\WINDOWS\system32\RunDLL32.exe[532] WS2_32.dll!listen 00FC8CD3 6 Bytes JMP 7170000A .text C:\WINDOWS\RTHDCPL.EXE[552] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\RTHDCPL.EXE[552] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[552] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [7E, 71] {JLE 0x73} .text C:\WINDOWS\RTHDCPL.EXE[552] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[552] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [84, 71] .text C:\WINDOWS\RTHDCPL.EXE[552] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[552] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [7B, 71] {JNP 0x73} .text C:\WINDOWS\RTHDCPL.EXE[552] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[552] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [81, 71] .text C:\WINDOWS\RTHDCPL.EXE[552] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[552] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [78, 71] {JS 0x73} .text C:\WINDOWS\RTHDCPL.EXE[552] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[552] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [87, 71] .text C:\WINDOWS\RTHDCPL.EXE[552] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\RTHDCPL.EXE[552] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 718E000A .text C:\WINDOWS\RTHDCPL.EXE[552] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 718B000A .text C:\WINDOWS\RTHDCPL.EXE[552] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7191000A .text C:\WINDOWS\RTHDCPL.EXE[552] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 7197000A .text C:\WINDOWS\RTHDCPL.EXE[552] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 7194000A .text C:\WINDOWS\RTHDCPL.EXE[552] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[552] USER32.dll!SendInput + 4 7E37F144 2 Bytes [9C, 71] .text C:\WINDOWS\RTHDCPL.EXE[552] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 719A000A .text C:\WINDOWS\RTHDCPL.EXE[552] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71A3000A .text C:\WINDOWS\RTHDCPL.EXE[552] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A0000A .text C:\WINDOWS\system32\ctfmon.exe[560] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\ctfmon.exe[560] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[560] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\WINDOWS\system32\ctfmon.exe[560] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[560] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\WINDOWS\system32\ctfmon.exe[560] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[560] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\WINDOWS\system32\ctfmon.exe[560] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[560] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\WINDOWS\system32\ctfmon.exe[560] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[560] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\WINDOWS\system32\ctfmon.exe[560] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[560] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\WINDOWS\system32\ctfmon.exe[560] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\system32\ctfmon.exe[560] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\ctfmon.exe[560] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\ctfmon.exe[560] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\ctfmon.exe[560] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\ctfmon.exe[560] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\ctfmon.exe[560] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[560] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\WINDOWS\system32\ctfmon.exe[560] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\WINDOWS\system32\ctfmon.exe[560] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\WINDOWS\system32\ctfmon.exe[560] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\WINDOWS\system32\rundll32.exe[640] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\rundll32.exe[640] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[640] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\WINDOWS\system32\rundll32.exe[640] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[640] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\WINDOWS\system32\rundll32.exe[640] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[640] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\WINDOWS\system32\rundll32.exe[640] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[640] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\WINDOWS\system32\rundll32.exe[640] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[640] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\WINDOWS\system32\rundll32.exe[640] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[640] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\WINDOWS\system32\rundll32.exe[640] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\system32\rundll32.exe[640] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\rundll32.exe[640] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\rundll32.exe[640] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\rundll32.exe[640] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[640] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\WINDOWS\system32\rundll32.exe[640] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\WINDOWS\system32\rundll32.exe[640] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\WINDOWS\system32\rundll32.exe[640] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\WINDOWS\system32\rundll32.exe[640] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\rundll32.exe[640] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] WS2_32.dll!GetAddrInfoW 00C42899 6 Bytes JMP 7175000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] WS2_32.dll!connect 00C44A07 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] WS2_32.dll!gethostbyname 00C45355 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1292] WS2_32.dll!listen 00C48CD3 6 Bytes JMP 717B000A .text C:\WINDOWS\system32\wscntfy.exe[3312] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\wscntfy.exe[3312] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[3312] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\WINDOWS\system32\wscntfy.exe[3312] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[3312] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\WINDOWS\system32\wscntfy.exe[3312] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[3312] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\WINDOWS\system32\wscntfy.exe[3312] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[3312] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\WINDOWS\system32\wscntfy.exe[3312] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[3312] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\WINDOWS\system32\wscntfy.exe[3312] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[3312] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\WINDOWS\system32\wscntfy.exe[3312] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\system32\wscntfy.exe[3312] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wscntfy.exe[3312] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\wscntfy.exe[3312] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\wscntfy.exe[3312] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[3312] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\WINDOWS\system32\wscntfy.exe[3312] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\WINDOWS\system32\wscntfy.exe[3312] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\WINDOWS\system32\wscntfy.exe[3312] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\WINDOWS\system32\wscntfy.exe[3312] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\wscntfy.exe[3312] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.) ---- EOF - GMER 1.0.15 ----