GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-02-02 05:17:09 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS543225L9A300 rev.FBEOC40C 232,89GB Running: 17nsx6cl.exe; Driver: C:\DOCUME~1\Piotr\USTAWI~1\Temp\kwlcrpog.sys ---- System - GMER 2.0 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA76BC536] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA77657BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xA76BCF52] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA76FCC31] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA76C7D7A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA76C7DC6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA76C7F48] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA76FC5E5] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA76C7CE8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA76C7E0A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA76C7D30] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xA76BD146] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA76C7F02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xA76BD8CA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA76BC584] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA76FD2F7] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA76FD5AD] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA76C0F36] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA76FD162] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA76FCFCD] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA776589E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA76BC1EC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA76BC5D2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA76C12A8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA76BE292] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA76C7DA4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA76C7DE8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA76C7F6C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA76FC941] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA76C7D0E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA76C0AAC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA76C7E8C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA76C7D58] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA76C0CDE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA76C7F26] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xA7995BE0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA76FCE48] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA76BE15E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA76FCC9A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xA76BDD08] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA7771338] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA76FBC58] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA76BC620] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA76BC66E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xA76BD74A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA76BC276] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA76BC426] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA76FD3FE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA76BC3CC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xA76BDA2C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xA76BDB88] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA76BC496] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xA76BD468] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xA76BD5CA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA76BC6BC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xA76BCF96] ---- Kernel code sections - GMER 2.0 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504518 4 Bytes [E8, 7C, 6C, A7] .text ntkrnlpa.exe!ZwCallbackReturn + 2F1C 805047B8 12 Bytes [20, C6, 6B, A7, 6E, C6, 6B, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FC4 80504860 12 Bytes [2C, DA, 6B, A7, 88, DB, 6B, ...] {SUB AL, 0xda; IMUL ESP, [EDI-0x58942478], -0x6a; LES EBP, [EBX-0x59]} PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A646E 4 Bytes CALL A76BE943 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFreeUserMem + 674 BF809931 5 Bytes JMP A76C28C0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFreeUserMem + 35D0 BF80C88D 5 Bytes JMP A76C27B0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSurface + 45 BF813920 5 Bytes JMP A76C276A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!BRUSHOBJ_pvAllocRbrush + 11F0 BF81C763 5 Bytes JMP A76C1E1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCopyBits + 68B BF838EFD 5 Bytes JMP A76C1538 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLockSurface + 347C BF83C845 2 Bytes JMP A76C1E04 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLockSurface + 347F BF83C848 2 Bytes CALL A7DB1F34 \SystemRoot\system32\drivers\RtkHDAud.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.) .text win32k.sys!EngCreateBitmap + 19A7 BF83F3D5 5 Bytes JMP A76C2A2A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateBitmap + 3449 BF840E77 5 Bytes JMP A76C2C32 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngTextOut + 1DB5 BF8597C3 5 Bytes JMP A76C2670 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStretchBlt + 35C1 BF85DAD8 5 Bytes JMP A76C27FA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 35FB BF87527F 5 Bytes JMP A76C1A52 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 411E BF875DA2 5 Bytes JMP A76C1C12 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetLastError + 1606 BF89301B 5 Bytes JMP A76C1EF6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGradientFill + 3AA1 BF897979 5 Bytes JMP A76C2972 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMultiByteToWideChar + 2E70 BF8A0C8F 5 Bytes JMP A76C1EDE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMultiByteToWideChar + 2F30 BF8A0D4F 5 Bytes JMP A76C13E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAlphaBlend + 350F BF8AA40A 5 Bytes JMP A76C13FC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMulDiv + 90F8 BF8B4262 5 Bytes JMP A76C15A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 347A BF8B984F 5 Bytes JMP A76C1992 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 3505 BF8B98DA 5 Bytes JMP A76C1C58 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 8DDD BF8BF1B2 5 Bytes JMP A76C2B90 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnicodeToMultiByteN + 1756 BF8C322E 5 Bytes JMP A76C16B8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 1517 BF8EB862 5 Bytes JMP A76C1790 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + 1797 BF8EBAE2 5 Bytes JMP A76C18BC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFillPath + B223 BF8F556E 5 Bytes JMP A76C1E34 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + 19EF BF8F98FA 5 Bytes JMP A76C12DE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 1994 BF9132F6 5 Bytes JMP A76C14D4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 2568 BF913ECA 5 Bytes JMP A76C1664 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 4EC7 BF916829 5 Bytes JMP A76C1D72 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 190E BF9447C8 5 Bytes JMP A76C2AE8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ---- User code sections - GMER 2.0 ---- .text C:\WINNT\system32\svchost.exe[448] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\svchost.exe[448] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\System32\smss.exe[700] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\igfxtray.exe[728] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\igfxtray.exe[728] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\csrss.exe[764] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\csrss.exe[764] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\winlogon.exe[788] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\winlogon.exe[788] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\services.exe[832] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\services.exe[832] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\lsass.exe[844] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\lsass.exe[844] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\svchost.exe[1020] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\svchost.exe[1020] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\svchost.exe[1088] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\svchost.exe[1088] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\System32\svchost.exe[1188] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\System32\svchost.exe[1188] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\svchost.exe[1232] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\svchost.exe[1232] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\igfxsrvc.exe[1264] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\igfxsrvc.exe[1264] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\svchost.exe[1296] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\svchost.exe[1296] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\svchost.exe[1332] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\svchost.exe[1332] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\svchost.exe[1340] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\svchost.exe[1340] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\svchost.exe[1388] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\svchost.exe[1388] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[1444] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[1444] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\hkcmd.exe[1528] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\hkcmd.exe[1528] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1600] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1600] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1600] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[1640] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[1640] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\System32\svchost.exe[1656] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\System32\svchost.exe[1656] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\wbem\wmiprvse.exe[1680] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\wbem\wmiprvse.exe[1680] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\Explorer.EXE[1740] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\Explorer.EXE[1740] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\spoolsv.exe[1768] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\spoolsv.exe[1768] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\igfxpers.exe[1944] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\igfxpers.exe[1944] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\RTHDCPL.EXE[2036] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\RTHDCPL.EXE[2036] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2084] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2084] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2092] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2092] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2100] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[2100] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[2108] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[2108] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\System32\svchost.exe[2152] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\System32\svchost.exe[2152] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\atwtusb.exe[2160] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\atwtusb.exe[2160] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[2184] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[2184] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\blueconnect\DataCardMonitor.exe[2192] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Program Files\blueconnect\DataCardMonitor.exe[2192] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2228] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2228] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Documents and Settings\Piotr\Pulpit\17nsx6cl.exe[2312] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Documents and Settings\Piotr\Pulpit\17nsx6cl.exe[2312] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\svchost.exe[2328] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\svchost.exe[2328] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Real\RealPlayer\update\realsched.exe[2500] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Program Files\Real\RealPlayer\update\realsched.exe[2500] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\Real\RealPlayer\update\realsched.exe[2500] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2520] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2520] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\ctfmon.exe[2588] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\ctfmon.exe[2588] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\wuauclt.exe[2600] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\wuauclt.exe[2600] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\Messenger\msmsgs.exe[2632] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Program Files\Messenger\msmsgs.exe[2632] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2864] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2864] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\DOCUME~1\Piotr\USTAWI~1\Temp\RtkBtMnt.exe[3432] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\DOCUME~1\Piotr\USTAWI~1\Temp\RtkBtMnt.exe[3432] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\wbem\wmiapsrv.exe[3700] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\wbem\wmiapsrv.exe[3700] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\wscntfy.exe[3820] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\wscntfy.exe[3820] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\System32\alg.exe[3888] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\System32\alg.exe[3888] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] .text C:\WINNT\system32\wbem\wmiprvse.exe[4008] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171CA 1 Byte [62] .text C:\WINNT\system32\wbem\wmiprvse.exe[4008] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62] ---- User IAT/EAT - GMER 2.0 ---- IAT C:\WINNT\system32\services.exe[832] @ C:\WINNT\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINNT\system32\services.exe[832] @ C:\WINNT\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1600] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1740] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\Program Files\AVAST Software\Avast\avastUI.exe[2108] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC8 0x6D 0x9F 0x89 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC8 0x6D 0x9F 0x89 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC8 0x6D 0x9F 0x89 ... ---- EOF - GMER 2.0 ----