GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-06-02 21:32:32 Windows 5.1.2600 Dodatek Service Pack 3 Running: xdzuydh2.exe; Driver: C:\DOCUME~1\Krzysiek\USTAWI~1\Temp\uwddaaow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF2D99C7A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF2D99B36] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xF2D9A0EA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF2D9A014] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF2D9970C] SSDT spzs.sys ZwEnumerateKey [0xF72A4CA4] SSDT spzs.sys ZwEnumerateValueKey [0xF72A5032] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF2D99C10] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF2D9964C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF2D996B0] SSDT spzs.sys ZwQueryKey [0xF72A510A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF2D99D30] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xF2D9A1B8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF2D99CF0] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF2D99E70] INT 0x62 ? 86DACBF8 INT 0x63 ? 86BBFBF8 INT 0x73 ? 86D3EBF8 INT 0x82 ? 86DACBF8 INT 0x83 ? 86D3EBF8 INT 0xB4 ? 86BBFBF8 Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF2DA6AC6] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF2DA68EA] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF2DA6A24] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2468 80501CA0 4 Bytes JMP DAF2D9A0 PAGE ntkrnlpa.exe!ZwLoadDriver 805795FA 7 Bytes JMP F2DA6A28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!NtCreateSection 805A075C 7 Bytes JMP F2DA68EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CE0 5 Bytes JMP F2DA2536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ObInsertObject 805B8B58 5 Bytes JMP F2DA3EC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP F2DA6ACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ? spzs.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload F70488AC 5 Bytes JMP 86BBF1D8 .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6520380, 0x2FF527, 0xE8000020] .text win32k.sys!EngGradientFill + 109 BF89F600 7 Bytes [53, 33, DB, 3B, CB, C7, 45] .text win32k.sys!EngGradientFill + 111 BF89F608 11 Bytes [01, 00, 00, 00, 89, 4D, EC, ...] .text win32k.sys!EngGradientFill + 11D BF89F614 19 Bytes [FF, 56, 57, 8D, 4D, E4, 51, ...] .text win32k.sys!EngGradientFill + 131 BF89F628 6 Bytes [00, 39, 5D, 1C, 8B, 45] {ADD [ECX], BH; POP EBP; SBB AL, 0x8b; INC EBP} .text win32k.sys!EngGradientFill + 138 BF89F62F 48 Bytes [8B, 75, 24, 89, 45, 90, 8D, ...] .text ... .text win32k.sys!EngStretchBltROP + 28 BF8A3515 22 Bytes [CC, CC, 00, 00, 89, 4D, F0, ...] .text win32k.sys!EngStretchBltROP + 3F BF8A352C 85 Bytes [41, 38, 8B, 49, 48, 83, E1, ...] .text win32k.sys!EngStretchBltROP + 95 BF8A3582 14 Bytes CALL AA8A358C .text win32k.sys!EngStretchBltROP + A5 BF8A3592 20 Bytes [F6, 42, 22, 02, 0F, 84, F1, ...] .text win32k.sys!EngStretchBltROP + BA BF8A35A7 10 Bytes [92, 7C, 05, 00, 00, 39, 56, ...] {XCHG EDX, EAX; JL 0x8; ADD [EAX], AL; CMP [ESI+0x4], EDX; JL 0x21} .text ... .text win32k.sys!EngModifySurface + 2 BF8A458B 1 Byte [55] .text win32k.sys!EngModifySurface + 2 BF8A458B 44 Bytes [55, 8B, EC, 83, EC, 0C, 53, ...] .text win32k.sys!EngModifySurface + 30 BF8A45B9 17 Bytes [8B, 75, F4, 3B, F7, 0F, 84, ...] .text win32k.sys!EngModifySurface + 42 BF8A45CB 7 Bytes [FF, FF, F7, 45, 14, FC, FF] .text win32k.sys!EngModifySurface + 4B BF8A45D4 10 Bytes [0F, 85, 03, 01, 00, 00, 8B, ...] .text ... .text win32k.sys!EngAlphaBlend + 97 BF8A5119 8 Bytes [1C, 89, 45, 1C, E8, 62, 02, ...] .text win32k.sys!EngAlphaBlend + A0 BF8A5122 36 Bytes [8B, 45, 0C, 8B, 48, 0C, 33, ...] .text win32k.sys!EngAlphaBlend + C5 BF8A5147 45 Bytes [EC, 50, FF, 75, 08, 53, E8, ...] .text win32k.sys!EngAlphaBlend + F3 BF8A5175 10 Bytes [A5, A5, A5, A5, 89, 45, B0, ...] {MOVSD ; MOVSD ; MOVSD ; MOVSD ; MOV [EBP-0x50], EAX; MOV EAX, [EBP-0x40]} .text win32k.sys!EngAlphaBlend + FE BF8A5180 47 Bytes [FF, 47, 57, 89, 45, B4, 33, ...] .text ... .text win32k.sys!EngAllocMem + 1 BF8A79C5 5 Bytes [FF, 55, 8B, EC, 57] {CALL [EBP-0x75]; IN AL, DX ; PUSH EDI} .text win32k.sys!EngAllocMem + 7 BF8A79CB 63 Bytes [7D, 0C, 85, FF, 74, D0, 83, ...] .text win32k.sys!EngAllocMem + 47 BF8A7A0B 74 Bytes [C6, 5E, 5F, 5D, C2, 0C, 00, ...] .text win32k.sys!EngFreeMem + 3B BF8A7A56 42 Bytes [4D, 08, 8B, 01, 8B, 49, 04, ...] .text win32k.sys!EngFreeMem + 66 BF8A7A81 61 Bytes [01, 56, 8B, B0, 08, 06, 00, ...] .text win32k.sys!EngFreeMem + A4 BF8A7ABF 129 Bytes [15, C4, DE, 98, BF, 8B, C7, ...] .text win32k.sys!EngFreeMem + 126 BF8A7B41 46 Bytes [00, 8B, 11, 89, 10, 89, 01, ...] .text win32k.sys!EngFreeMem + 155 BF8A7B70 62 Bytes [8B, 86, 24, 02, 00, 00, 74, ...] .text ... .text win32k.sys!XFORMOBJ_iGetXform + 11 BF8B6567 12 Bytes [74, 0A, FF, 75, 0C, 8B, CE, ...] {JZ 0xc; PUSH DWORD [EBP+0xc]; MOV ECX, ESI; CALL 0xfffffffffffffe40} .text win32k.sys!XFORMOBJ_iGetXform + 1E BF8B6574 16 Bytes [06, 8B, 40, 38, 83, E0, 43, ...] .text win32k.sys!XFORMOBJ_iGetXform + 2F BF8B6585 31 Bytes [75, 07, 33, C0, 5E, 5D, C2, ...] .text win32k.sys!FONTOBJ_pxoGetXform + D BF8B65A5 240 Bytes [5D, C2, 04, 00, 90, 90, 90, ...] .text win32k.sys!FONTOBJ_pxoGetXform + FE BF8B6696 59 Bytes [75, 08, 85, F6, 8B, C6, 74, ...] .text win32k.sys!FONTOBJ_pxoGetXform + 13B BF8B66D3 162 Bytes [80, 3B, C2, 73, 03, D1, E0, ...] .text win32k.sys!FONTOBJ_pxoGetXform + 1DE BF8B6776 96 Bytes [0E, 0F, B6, 78, 06, 33, C9, ...] .text win32k.sys!FONTOBJ_pxoGetXform + 23F BF8B67D7 35 Bytes [FF, 55, 8B, EC, 51, 53, 56, ...] .text ... .text win32k.sys!EngDeletePalette + 2 BF8C57A2 5 Bytes [55, 8B, EC, 56, FF] .text win32k.sys!EngDeletePalette + 8 BF8C57A8 115 Bytes [08, 8D, 4D, 08, 33, F6, E8, ...] .text win32k.sys!EngDeletePalette + 7C BF8C581C 4 Bytes [C7, 45, 08, 00] .text win32k.sys!EngDeletePalette + 81 BF8C5821 31 Bytes [40, 00, FF, 15, 60, DE, 98, ...] .text win32k.sys!EngDeletePalette + A1 BF8C5841 19 Bytes [35, 44, A1, 9A, BF, 8D, 4D, ...] {XOR EAX, 0xbf9aa144; LEA ECX, [EBP-0x4]; CALL 0xfffffffffff3ef9d; MOV ESI, [0xbf9aa148]} .text ... .text win32k.sys!PATHOBJ_vEnumStart + DB BF8C6C92 21 Bytes [00, 8B, 85, BC, FD, FF, FF, ...] .text win32k.sys!PATHOBJ_vEnumStart + F1 BF8C6CA8 3 Bytes [FD, FF, FF] .text win32k.sys!PATHOBJ_vEnumStart + F5 BF8C6CAC 21 Bytes [85, A8, FD, FF, FF, 8B, 85, ...] .text win32k.sys!PATHOBJ_vEnumStart + 10B BF8C6CC2 8 Bytes [FF, 89, 85, AC, FD, FF, FF, ...] .text win32k.sys!PATHOBJ_vEnumStart + 114 BF8C6CCB 2 Bytes [A8, FD] {TEST AL, 0xfd} .text ... .text win32k.sys!EngStrokePath + 2 BF8C89D2 14 Bytes [55, 8B, EC, 8B, 4D, 0C, 53, ...] {PUSH EBP; MOV EBP, ESP; MOV ECX, [EBP+0xc]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0x8]; LEA EAX, [ESI-0x10]} .text win32k.sys!EngStrokePath + 11 BF8C89E1 42 Bytes [DE, 1B, F6, 57, 8B, 7D, 20, ...] .text win32k.sys!EngStrokePath + 3C BF8C8A0C 52 Bytes CALL BF805382 \SystemRoot\System32\win32k.sys (Współużytkowany sterownik Win32/Microsoft Corporation) .text win32k.sys!EngStrokePath + 72 BF8C8A42 47 Bytes [40, 5F, 5E, 5B, 5D, C2, 20, ...] .text win32k.sys!EngStrokePath + A2 BF8C8A72 61 Bytes [58, 14, 56, 8B, 75, 0C, 57, ...] .text ... .text win32k.sys!EngSort + 64 BF8D3028 48 Bytes [FF, FF, C1, E0, 03, 8B, BC, ...] .text win32k.sys!EngSort + 95 BF8D3059 3 Bytes [00, 00, 33] .text win32k.sys!EngSort + 99 BF8D305D 34 Bytes [2B, 75, 10, 3B, F3, 76, 2E, ...] .text win32k.sys!EngSort + BC BF8D3080 12 Bytes [57, 50, FF, 55, 14, 85, C0, ...] .text win32k.sys!EngSort + C9 BF8D308D 64 Bytes JMP FC0223CD .text ... .text win32k.sys!EngLineTo + 11 BF8D4A8D 45 Bytes [F0, F7, DE, 1B, F6, 8D, 48, ...] .text win32k.sys!EngLineTo + 3F BF8D4ABB 4 Bytes [39, 5E, 40, 57] {CMP [ESI+0x40], EBX; PUSH EDI} .text win32k.sys!EngLineTo + 44 BF8D4AC0 42 Bytes [5D, FC, 89, 4D, F8, 75, 4B, ...] .text win32k.sys!EngLineTo + 6F BF8D4AEB 3 Bytes [85, 2C, FF] {TEST [EDI+EDI*8], EBP} .text win32k.sys!EngLineTo + 74 BF8D4AF0 140 Bytes [8B, 4D, 10, FF, 31, 50, 8D, ...] .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 4061466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3112] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3112] ole32.dll!CoCreateInstance 774F057E 5 Bytes JMP 406ADB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3112] ole32.dll!OleLoadFromStream 77519C85 5 Bytes JMP 407A4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3484] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3484] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3484] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3484] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3484] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 4061466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3484] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3484] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A4671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3484] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A46DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3484] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A4542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3484] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A45A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3484] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A47A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3484] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A4606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3484] ole32.dll!CoCreateInstance 774F057E 5 Bytes JMP 406ADB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3484] ole32.dll!OleLoadFromStream 77519C85 5 Bytes JMP 407A4AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7287042] spzs.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F728713E] spzs.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72870C0] spzs.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7287800] spzs.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72876D6] spzs.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7296E9C] spzs.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[588] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[588] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 IAT C:\Program Files\Internet Explorer\iexplore.exe[3112] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) IAT C:\Program Files\Internet Explorer\iexplore.exe[3484] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software) Device \FileSystem\Ntfs \Ntfs 86D3D1F8 AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software) Device \FileSystem\Fastfat \FatCdrom 86A40500 AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbohci \Device\USBPDO-0 86BBE1F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 86D3F1F8 Device \Driver\dmio \Device\DmControl\DmConfig 86D3F1F8 Device \Driver\dmio \Device\DmControl\DmPnP 86D3F1F8 Device \Driver\dmio \Device\DmControl\DmInfo 86D3F1F8 Device \Driver\usbehci \Device\USBPDO-1 86BBD1F8 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\USBSTOR \Device\00000070 86B4F1F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 86DAD1F8 Device \Driver\USBSTOR \Device\00000071 86B4F1F8 Device \Driver\Cdrom \Device\CdRom0 86B1D498 Device \Driver\Ftdisk \Device\HarddiskVolume2 86DAD1F8 Device \Driver\USBSTOR \Device\00000072 86B4F1F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 86DAD1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F71D9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F71D9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F71D9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F71D9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\USBSTOR \Device\00000073 86B4F1F8 Device \Driver\USBSTOR \Device\00000074 86B4F1F8 Device \Driver\USBSTOR \Device\00000075 86B4F1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 86A19500 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\NetBT \Device\NetBT_Tcpip_{829CA00C-F1B4-4885-8DB0-09578954EB20} 86A19500 Device \Driver\usbohci \Device\USBFDO-0 86BBE1F8 Device \Driver\usbehci \Device\USBFDO-1 86BBD1F8 Device \Driver\nvata \Device\NvAta0 86D3E1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 867A51F8 Device \Driver\nvata \Device\NvAta1 86D3E1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 867A51F8 Device \Driver\USBSTOR \Device\0000006f 86B4F1F8 Device \Driver\Ftdisk \Device\FtControl 86DAD1F8 Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software) Device \FileSystem\Fastfat \Fat 86A40500 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) Device \FileSystem\Cdfs \Cdfs 869E51F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x55 0x3F 0x49 0x6D ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA2 0x0E 0x5E 0xCB ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4A 0x14 0xE2 0x7C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7A 0xE0 0x55 0xC9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x74 0x60 0xAE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x18 0x4C 0xF4 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x55 0x3F 0x49 0x6D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA2 0x0E 0x5E 0xCB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4A 0x14 0xE2 0x7C ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7A 0xE0 0x55 0xC9 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x74 0x60 0xAE ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x18 0x4C 0xF4 0x0E ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x55 0x3F 0x49 0x6D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA2 0x0E 0x5E 0xCB ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4A 0x14 0xE2 0x7C ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7A 0xE0 0x55 0xC9 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x74 0x60 0xAE ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x18 0x4C 0xF4 0x0E ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x55 0x3F 0x49 0x6D ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA2 0x0E 0x5E 0xCB ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4A 0x14 0xE2 0x7C ... ---- EOF - GMER 1.0.15 ----