GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-21 15:20:05 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 SAMSUNG_SP1654N rev.BV100-45 149,05GB Running: loqbwqdq.exe; Driver: C:\DOCUME~1\RYSZAR~1\USTAWI~1\Temp\ufrdrpoc.sys ---- System - GMER 2.1 ---- SSDT 86F3DCD8 ZwAlertResumeThread SSDT 86F31868 ZwAlertThread SSDT 86605A40 ZwAllocateVirtualMemory SSDT 86E168A0 ZwAssignProcessToJobObject SSDT 8687A728 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey [0xA7C8AED0] SSDT 86CA81F0 ZwCreateMutant SSDT 86CB0968 ZwCreateSymbolicLinkObject SSDT 86CFE410 ZwCreateThread SSDT 86E31320 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey [0xA7C8B150] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey [0xA7C8B810] SSDT 86E08AD8 ZwDuplicateObject SSDT 868B51D0 ZwFreeVirtualMemory SSDT 86E79D88 ZwImpersonateAnonymousToken SSDT 86F3DD38 ZwImpersonateThread SSDT 8686F5F0 ZwLoadDriver SSDT 86CF2D40 ZwMapViewOfSection SSDT 86E6C4F8 ZwOpenEvent SSDT 86E181B0 ZwOpenProcess SSDT 86D3FE70 ZwOpenProcessToken SSDT 86F19310 ZwOpenSection SSDT 86DB5D70 ZwOpenThread SSDT 86D0FB98 ZwProtectVirtualMemory SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwRenameKey [0xA7C8BD80] SSDT 86F23E40 ZwResumeThread SSDT 86E77A78 ZwSetContextThread SSDT 869A85D0 ZwSetInformationProcess SSDT 86F1BB98 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey [0xA7C8BAA0] SSDT 86E8C558 ZwSuspendProcess SSDT 86F25278 ZwSuspendThread SSDT 86D4BCA0 ZwTerminateProcess SSDT 86E78178 ZwTerminateThread SSDT 86D3CDD8 ZwUnmapViewOfSection SSDT 86D19DE0 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2770 80501F80 8 Bytes [58, C5, E8, 86, 78, 52, F2, ...] ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe[580] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe[580] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe[580] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe[580] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe[580] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe[580] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe[580] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe[580] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe[580] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe[580] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe[580] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe[580] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1108] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1108] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1108] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1108] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1108] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1108] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1108] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1108] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1108] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1108] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1108] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe[1108] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1172] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 007C0048 .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1172] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 006A004C .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1172] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 007C020E .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1172] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 007C012A .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1172] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 007C0682 .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1172] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 007C059E .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1172] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 007C03D6 .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1172] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 007C02F2 .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1172] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [99, 88, EB, F9] {CDQ ; MOV BL, CH; STC } .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1172] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 007C04BA .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1172] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 007C0766 .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[1172] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 007C0A0E .text C:\Program Files\Java\jre7\bin\jqs.exe[1252] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Program Files\Java\jre7\bin\jqs.exe[1252] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Program Files\Java\jre7\bin\jqs.exe[1252] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\Program Files\Java\jre7\bin\jqs.exe[1252] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\Program Files\Java\jre7\bin\jqs.exe[1252] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\Program Files\Java\jre7\bin\jqs.exe[1252] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\Program Files\Java\jre7\bin\jqs.exe[1252] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\Program Files\Java\jre7\bin\jqs.exe[1252] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\Program Files\Java\jre7\bin\jqs.exe[1252] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\Program Files\Java\jre7\bin\jqs.exe[1252] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\Program Files\Java\jre7\bin\jqs.exe[1252] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text C:\Program Files\Java\jre7\bin\jqs.exe[1252] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[1264] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[1264] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[1264] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[1264] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[1264] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[1264] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[1264] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[1264] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[1264] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[1264] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[1264] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe[1264] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text E:\download\CDBurner\CDBurnerXP\NMSAccessU.exe[1412] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text E:\download\CDBurner\CDBurnerXP\NMSAccessU.exe[1412] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text E:\download\CDBurner\CDBurnerXP\NMSAccessU.exe[1412] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text E:\download\CDBurner\CDBurnerXP\NMSAccessU.exe[1412] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text E:\download\CDBurner\CDBurnerXP\NMSAccessU.exe[1412] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text E:\download\CDBurner\CDBurnerXP\NMSAccessU.exe[1412] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text E:\download\CDBurner\CDBurnerXP\NMSAccessU.exe[1412] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text E:\download\CDBurner\CDBurnerXP\NMSAccessU.exe[1412] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text E:\download\CDBurner\CDBurnerXP\NMSAccessU.exe[1412] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text E:\download\CDBurner\CDBurnerXP\NMSAccessU.exe[1412] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text E:\download\CDBurner\CDBurnerXP\NMSAccessU.exe[1412] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text E:\download\CDBurner\CDBurnerXP\NMSAccessU.exe[1412] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text C:\WINDOWS\system32\PnkBstrA.exe[1496] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003D0048 .text C:\WINDOWS\system32\PnkBstrA.exe[1496] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003B004C .text C:\WINDOWS\system32\PnkBstrA.exe[1496] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003D020E .text C:\WINDOWS\system32\PnkBstrA.exe[1496] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003D012A .text C:\WINDOWS\system32\PnkBstrA.exe[1496] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003D0682 .text C:\WINDOWS\system32\PnkBstrA.exe[1496] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003D059E .text C:\WINDOWS\system32\PnkBstrA.exe[1496] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003D03D6 .text C:\WINDOWS\system32\PnkBstrA.exe[1496] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003D02F2 .text C:\WINDOWS\system32\PnkBstrA.exe[1496] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5A, 88, EB, F9] {POP EDX; MOV BL, CH; STC } .text C:\WINDOWS\system32\PnkBstrA.exe[1496] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003D04BA .text C:\WINDOWS\system32\PnkBstrA.exe[1496] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003D0766 .text C:\WINDOWS\system32\PnkBstrA.exe[1496] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003D084A .text C:\WINDOWS\system32\PnkBstrB.exe[1512] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003D0048 .text C:\WINDOWS\system32\PnkBstrB.exe[1512] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003B004C .text C:\WINDOWS\system32\PnkBstrB.exe[1512] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003D020E .text C:\WINDOWS\system32\PnkBstrB.exe[1512] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003D012A .text C:\WINDOWS\system32\PnkBstrB.exe[1512] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003D0682 .text C:\WINDOWS\system32\PnkBstrB.exe[1512] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003D059E .text C:\WINDOWS\system32\PnkBstrB.exe[1512] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003D03D6 .text C:\WINDOWS\system32\PnkBstrB.exe[1512] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003D02F2 .text C:\WINDOWS\system32\PnkBstrB.exe[1512] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5A, 88, EB, F9] {POP EDX; MOV BL, CH; STC } .text C:\WINDOWS\system32\PnkBstrB.exe[1512] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003D04BA .text C:\WINDOWS\system32\PnkBstrB.exe[1512] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003D0766 .text C:\WINDOWS\system32\PnkBstrB.exe[1512] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003D084A .text C:\WINDOWS\system32\winlogon.exe[1684] ntdll.dll!NtLockProductActivationKeys 7C90D4AE 5 Bytes JMP 10001000 C:\WINDOWS\system32\antiwpa.dll .text C:\WINDOWS\system32\winlogon.exe[1684] USER32.dll!GetSystemMetrics 7E368F9C 5 Bytes JMP 10001018 C:\WINDOWS\system32\antiwpa.dll .text C:\Documents and Settings\Ryszard Pietruszka\Pulpit\loqbwqdq.exe[3688] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Documents and Settings\Ryszard Pietruszka\Pulpit\loqbwqdq.exe[3688] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Documents and Settings\Ryszard Pietruszka\Pulpit\loqbwqdq.exe[3688] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\Documents and Settings\Ryszard Pietruszka\Pulpit\loqbwqdq.exe[3688] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\Documents and Settings\Ryszard Pietruszka\Pulpit\loqbwqdq.exe[3688] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\Documents and Settings\Ryszard Pietruszka\Pulpit\loqbwqdq.exe[3688] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\Documents and Settings\Ryszard Pietruszka\Pulpit\loqbwqdq.exe[3688] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\Documents and Settings\Ryszard Pietruszka\Pulpit\loqbwqdq.exe[3688] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\Documents and Settings\Ryszard Pietruszka\Pulpit\loqbwqdq.exe[3688] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\Documents and Settings\Ryszard Pietruszka\Pulpit\loqbwqdq.exe[3688] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\Documents and Settings\Ryszard Pietruszka\Pulpit\loqbwqdq.exe[3688] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text C:\Documents and Settings\Ryszard Pietruszka\Pulpit\loqbwqdq.exe[3688] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x81 0x61 0x42 0xCA ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\download\DEMON\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x72 0x0A 0xCF 0xA8 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x7B 0x25 0x5C 0xE1 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x51 0x43 0xDC 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x81 0x61 0x42 0xCA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\download\DEMON\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x72 0x0A 0xCF 0xA8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x7B 0x25 0x5C 0xE1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x51 0x43 0xDC 0x38 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x81 0x61 0x42 0xCA ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\download\DEMON\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x72 0x0A 0xCF 0xA8 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x7B 0x25 0x5C 0xE1 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x51 0x43 0xDC 0x38 ... ---- EOF - GMER 2.1 ----