GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-11 18:46:18 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0 INTEL_SS rev.4PC1 Running: rfe83d1d.exe; Driver: C:\DOCUME~1\Artur\USTAWI~1\Temp\uwldapob.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6F643C0, 0x843A2A, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\Documents and Settings\Artur\Pulpit\rfe83d1d.exe[192] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\Program Files\Microsoft Security Client\msseces.exe[496] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\Program Files\Microsoft Security Client\msseces.exe[496] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\Program Files\Microsoft Security Client\msseces.exe[496] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\Program Files\Microsoft Security Client\msseces.exe[496] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\Program Files\Microsoft Security Client\msseces.exe[496] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\Program Files\Microsoft Security Client\msseces.exe[496] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\Program Files\Microsoft Security Client\msseces.exe[496] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\Program Files\Microsoft Security Client\msseces.exe[496] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[508] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\WINDOWS\system32\RunDLL32.exe[528] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\RunDLL32.exe[528] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[528] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\WINDOWS\system32\RunDLL32.exe[528] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[528] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\WINDOWS\system32\RunDLL32.exe[528] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[528] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\WINDOWS\system32\RunDLL32.exe[528] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[528] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\WINDOWS\system32\RunDLL32.exe[528] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[528] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\WINDOWS\system32\RunDLL32.exe[528] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[528] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\WINDOWS\system32\RunDLL32.exe[528] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\system32\RunDLL32.exe[528] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\RunDLL32.exe[528] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\RunDLL32.exe[528] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\RunDLL32.exe[528] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\RunDLL32.exe[528] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\WINDOWS\system32\RunDLL32.exe[528] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\WINDOWS\system32\RunDLL32.exe[528] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\WINDOWS\system32\RunDLL32.exe[528] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\WINDOWS\system32\RunDLL32.exe[528] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\RunDLL32.exe[528] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\RunDLL32.exe[528] WS2_32.dll!GetAddrInfoW 00FC2899 6 Bytes JMP 7169000A .text C:\WINDOWS\system32\RunDLL32.exe[528] WS2_32.dll!connect 00FC4A07 6 Bytes JMP 7175000A .text C:\WINDOWS\system32\RunDLL32.exe[528] WS2_32.dll!gethostbyname 00FC5355 6 Bytes JMP 716C000A .text C:\WINDOWS\system32\RunDLL32.exe[528] WS2_32.dll!listen 00FC8CD3 6 Bytes JMP 7170000A .text C:\WINDOWS\RTHDCPL.EXE[568] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\RTHDCPL.EXE[568] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[568] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [7E, 71] {JLE 0x73} .text C:\WINDOWS\RTHDCPL.EXE[568] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[568] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [84, 71] .text C:\WINDOWS\RTHDCPL.EXE[568] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[568] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [7B, 71] {JNP 0x73} .text C:\WINDOWS\RTHDCPL.EXE[568] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[568] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [81, 71] .text C:\WINDOWS\RTHDCPL.EXE[568] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[568] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [78, 71] {JS 0x73} .text C:\WINDOWS\RTHDCPL.EXE[568] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[568] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [87, 71] .text C:\WINDOWS\RTHDCPL.EXE[568] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\RTHDCPL.EXE[568] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 718E000A .text C:\WINDOWS\RTHDCPL.EXE[568] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 718B000A .text C:\WINDOWS\RTHDCPL.EXE[568] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7191000A .text C:\WINDOWS\RTHDCPL.EXE[568] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 7197000A .text C:\WINDOWS\RTHDCPL.EXE[568] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 7194000A .text C:\WINDOWS\RTHDCPL.EXE[568] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\RTHDCPL.EXE[568] USER32.dll!SendInput + 4 7E37F144 2 Bytes [9C, 71] .text C:\WINDOWS\RTHDCPL.EXE[568] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 719A000A .text C:\WINDOWS\RTHDCPL.EXE[568] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71A3000A .text C:\WINDOWS\RTHDCPL.EXE[568] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A0000A .text C:\WINDOWS\system32\ctfmon.exe[580] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\ctfmon.exe[580] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[580] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\WINDOWS\system32\ctfmon.exe[580] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[580] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\WINDOWS\system32\ctfmon.exe[580] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[580] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\WINDOWS\system32\ctfmon.exe[580] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[580] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\WINDOWS\system32\ctfmon.exe[580] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[580] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\WINDOWS\system32\ctfmon.exe[580] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[580] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\WINDOWS\system32\ctfmon.exe[580] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\system32\ctfmon.exe[580] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\ctfmon.exe[580] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\ctfmon.exe[580] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\ctfmon.exe[580] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\ctfmon.exe[580] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\ctfmon.exe[580] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\ctfmon.exe[580] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\WINDOWS\system32\ctfmon.exe[580] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\WINDOWS\system32\ctfmon.exe[580] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\WINDOWS\system32\ctfmon.exe[580] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\WINDOWS\system32\rundll32.exe[700] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\rundll32.exe[700] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[700] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\WINDOWS\system32\rundll32.exe[700] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[700] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\WINDOWS\system32\rundll32.exe[700] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[700] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\WINDOWS\system32\rundll32.exe[700] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[700] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\WINDOWS\system32\rundll32.exe[700] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[700] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\WINDOWS\system32\rundll32.exe[700] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[700] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\WINDOWS\system32\rundll32.exe[700] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\system32\rundll32.exe[700] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\rundll32.exe[700] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\rundll32.exe[700] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\rundll32.exe[700] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\rundll32.exe[700] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\WINDOWS\system32\rundll32.exe[700] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\WINDOWS\system32\rundll32.exe[700] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\WINDOWS\system32\rundll32.exe[700] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\WINDOWS\system32\rundll32.exe[700] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\rundll32.exe[700] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\WINDOWS\system32\wscntfy.exe[1256] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\system32\wscntfy.exe[1256] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[1256] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\WINDOWS\system32\wscntfy.exe[1256] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[1256] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\WINDOWS\system32\wscntfy.exe[1256] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[1256] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\WINDOWS\system32\wscntfy.exe[1256] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[1256] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\WINDOWS\system32\wscntfy.exe[1256] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[1256] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\WINDOWS\system32\wscntfy.exe[1256] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[1256] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\WINDOWS\system32\wscntfy.exe[1256] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\system32\wscntfy.exe[1256] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\WINDOWS\system32\wscntfy.exe[1256] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\WINDOWS\system32\wscntfy.exe[1256] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\WINDOWS\system32\wscntfy.exe[1256] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[1256] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\WINDOWS\system32\wscntfy.exe[1256] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\WINDOWS\system32\wscntfy.exe[1256] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\WINDOWS\system32\wscntfy.exe[1256] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\WINDOWS\system32\wscntfy.exe[1256] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\WINDOWS\system32\wscntfy.exe[1256] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] WS2_32.dll!GetAddrInfoW 00C42899 6 Bytes JMP 7175000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] WS2_32.dll!connect 00C44A07 6 Bytes JMP 717E000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] WS2_32.dll!gethostbyname 00C45355 6 Bytes JMP 7178000A .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1980] WS2_32.dll!listen 00C48CD3 6 Bytes JMP 717B000A .text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtCreateFile 7C90D0AE 1 Byte [FF] .text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtCreateFile + 4 7C90D0B2 2 Bytes [86, 71] .text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtDeleteValueKey 7C90D26E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtDeleteValueKey + 4 7C90D272 2 Bytes [8C, 71] .text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [83, 71] .text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtOpenProcess 7C90D5FE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtOpenProcess + 4 7C90D602 2 Bytes [89, 71] .text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtSetContextThread 7C90DBAE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtSetContextThread + 4 7C90DBB2 2 Bytes [80, 71] .text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[2024] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [8F, 71] .text C:\WINDOWS\Explorer.EXE[2024] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\Explorer.EXE[2024] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 7196000A .text C:\WINDOWS\Explorer.EXE[2024] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 7193000A .text C:\WINDOWS\Explorer.EXE[2024] USER32.dll!PostMessageW 7E368CCB 6 Bytes JMP 7199000A .text C:\WINDOWS\Explorer.EXE[2024] USER32.dll!SendMessageW 7E37929A 6 Bytes JMP 719F000A .text C:\WINDOWS\Explorer.EXE[2024] USER32.dll!PostMessageA 7E37AAFD 6 Bytes JMP 719C000A .text C:\WINDOWS\Explorer.EXE[2024] USER32.dll!SendInput 7E37F140 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[2024] USER32.dll!SendInput + 4 7E37F144 2 Bytes [A4, 71] .text C:\WINDOWS\Explorer.EXE[2024] USER32.dll!SendMessageA 7E37F3C2 6 Bytes JMP 71A2000A .text C:\WINDOWS\Explorer.EXE[2024] USER32.dll!mouse_event 7E3B673F 6 Bytes JMP 71AB000A .text C:\WINDOWS\Explorer.EXE[2024] USER32.dll!keybd_event 7E3B6783 6 Bytes JMP 71A8000A .text C:\WINDOWS\Explorer.EXE[2024] WS2_32.dll!GetAddrInfoW 02852899 6 Bytes JMP 7169000A .text C:\WINDOWS\Explorer.EXE[2024] WS2_32.dll!connect 02854A07 6 Bytes JMP 7175000A .text C:\WINDOWS\Explorer.EXE[2024] WS2_32.dll!gethostbyname 02855355 6 Bytes JMP 716F000A .text C:\WINDOWS\Explorer.EXE[2024] WS2_32.dll!listen 02858CD3 6 Bytes JMP 7172000A ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.) ---- EOF - GMER 1.0.15 ----