GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-17 01:02:11 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.SBDO 111,79GB Running: kopr7mwf.exe; Driver: C:\DOCUME~1\BARBAR~1\USTAWI~1\Temp\ufrdqpoc.sys ---- System - GMER 2.1 ---- SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwAddBootEntry [0xA3E8C716] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xA3E8D1F4] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwClose [0xA3ED106E] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateEvent [0xA3E9920C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateEventPair [0xA3E99258] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xA3E993F2] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateKey [0xA3ED0A22] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateMutant [0xA3E9917A] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateSection [0xA3E9929C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xA3E991C2] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateThread [0xA3E8D72A] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateTimer [0xA3E993AC] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xA3E8DFE2] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xA3E8C77C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDeleteKey [0xA3ED1734] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xA3ED19EA] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDuplicateObject [0xA3E9175E] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwEnumerateKey [0xA3ED159F] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xA3ED140A] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwLoadDriver [0xA3E8C364] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xA3E8C7E2] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xA3E91B54] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xA3E8EA72] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenEvent [0xA3E99236] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenEventPair [0xA3E9927A] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xA3E99416] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenKey [0xA3ED0D7E] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenMutant [0xA3E991A0] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenProcess [0xA3E91058] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenSection [0xA3E9932A] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xA3E991EA] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenThread [0xA3E91440] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenTimer [0xA3E993D0] SSDT \??\C:\WINDOWS\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xA3FE4EC4] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueryKey [0xA3ED1285] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueryObject [0xA3E8E93E] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueryValueKey [0xA3ED10D7] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueueApcThread [0xA3E8E494] SSDT \??\C:\WINDOWS\system32\drivers\aswSP.sys ZwRenameKey [0xA3FF27EE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwRestoreKey [0xA3ED0068] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xA3E8C848] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetBootOptions [0xA3E8C8AE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetContextThread [0xA3E8DE5C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xA3E8C3FE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xA3E8C5D4] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetValueKey [0xA3ED183B] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwShutdownSystem [0xA3E8C562] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSuspendProcess [0xA3E8E1AC] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSuspendThread [0xA3E8E30E] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xA3E8C65C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwTerminateProcess [0xA3E8DC9A] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwTerminateThread [0xA3E8DE3C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwVdmControl [0xA3E8C914] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xA3E8D250] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D14 805045FC 8 Bytes [0C, 92, E9, A3, 58, 92, E9, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2D50 80504638 8 Bytes [9C, 92, E9, A3, C2, 91, E9, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2D5C 80504644 8 Bytes [2A, D7, E8, A3, AC, 93, E9, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2D8C 80504674 4 Bytes [EA, 19, ED, A3] .text ntkrnlpa.exe!ZwCallbackReturn + 2E44 8050472C 8 Bytes [54, 1B, E9, A3, 72, EA, E8, ...] {PUSH ESP; SBB EBP, ECX; MOV [0xa3e8ea72], EAX} .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL A3E8F11F \??\C:\WINDOWS\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[172] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[172] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[260] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[260] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text c:\docume~1\barbar~1\ustawi~1\temp\teamviewer\version7\TeamViewer_Desktop.exe[396] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text c:\docume~1\barbar~1\ustawi~1\temp\teamviewer\version7\TeamViewer_Desktop.exe[396] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Documents and Settings\Barbara Postek\Dane aplikacji\Yontoo\YontooDesktop.exe[528] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Barbara Postek\Dane aplikacji\Yontoo\YontooDesktop.exe[528] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\HPQ\IAM\bin\asghost.exe[584] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\HPQ\IAM\bin\asghost.exe[584] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[612] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[612] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[688] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[688] SHELL32.dll!StrStrW 7C9CEF18 8 Bytes [E0, 10, 60, 19, 00, 11, 60, ...] {LOOPNZ 0x12; PUSHA ; SBB [EAX], EAX; ADC [EAX+0x19], ESP} .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[816] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[816] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[960] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[1012] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[1012] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1040] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1040] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1084] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1096] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1096] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Documents and Settings\Barbara Postek\Moje dokumenty\Pobieranie\kopr7mwf.exe[1196] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Barbara Postek\Moje dokumenty\Pobieranie\kopr7mwf.exe[1196] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1220] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1220] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1296] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1344] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1344] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE[1428] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE[1428] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1436] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\igfxtray.exe[1448] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\igfxtray.exe[1448] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\hkcmd.exe[1456] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\hkcmd.exe[1456] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\igfxsrvc.exe[1492] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\igfxsrvc.exe[1492] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\igfxpers.exe[1500] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\igfxpers.exe[1500] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1524] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1568] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[1568] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[1672] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[1672] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1688] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[1688] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\SMINST\Scheduler.exe[1736] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\SMINST\Scheduler.exe[1736] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\SMINST\Scheduler.exe[1736] USER32.dll!GetSysColor 7E368E78 5 Bytes JMP 00418ED0 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[1736] USER32.dll!GetSysColorBrush 7E368EAB 5 Bytes JMP 00418F40 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[1736] USER32.dll!SetScrollInfo 7E369056 7 Bytes JMP 00418DC0 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[1736] USER32.dll!GetScrollInfo 7E37DFE2 7 Bytes JMP 00418D10 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[1736] USER32.dll!ShowScrollBar 7E37F2F2 5 Bytes JMP 00418E90 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[1736] USER32.dll!GetScrollPos 7E37F704 5 Bytes JMP 00418D50 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[1736] USER32.dll!SetScrollPos 7E37F750 5 Bytes JMP 00418E00 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[1736] USER32.dll!GetScrollRange 7E37F787 5 Bytes JMP 00418D80 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[1736] USER32.dll!SetScrollRange 7E37F99B 5 Bytes JMP 00418E40 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[1736] USER32.dll!EnableScrollBar 7E3B8005 7 Bytes JMP 00418CD0 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\system32\svchost.exe[1784] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1784] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1792] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1792] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[1800] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe[1800] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[1828] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Lexmark S300-S400 Series\ezprint.exe[1828] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\DllHost.exe[1848] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\DllHost.exe[1848] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1852] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe[1908] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe[1908] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1936] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1936] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1968] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1968] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2000] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2000] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2012] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2012] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[2036] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[2036] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\DOCUME~1\BARBAR~1\USTAWI~1\Temp\TeamViewer\Version7\tv_w32.exe[2140] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\DOCUME~1\BARBAR~1\USTAWI~1\Temp\TeamViewer\Version7\tv_w32.exe[2140] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2196] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[2196] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Documents and Settings\All Users\Dane aplikacji\IBUpdaterService\ibsvc.exe[2364] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\All Users\Dane aplikacji\IBUpdaterService\ibsvc.exe[2364] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2420] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2420] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE[2496] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE[2496] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[2664] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[2664] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\lxeacoms.exe[2880] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lxeacoms.exe[2880] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\DOCUME~1\BARBAR~1\USTAWI~1\Temp\TeamViewer\Version7\TeamViewer.exe[2916] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\DOCUME~1\BARBAR~1\USTAWI~1\Temp\TeamViewer\Version7\TeamViewer.exe[2916] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[3044] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[3044] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[3440] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[3440] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\wdfmgr.exe[3460] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wdfmgr.exe[3460] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Yontoo\Y2Desktop.Updater.exe[3540] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Yontoo\Y2Desktop.Updater.exe[3540] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3608] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[3608] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[1084] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00610002 IAT C:\WINDOWS\system32\services.exe[1084] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00610000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Ip aswNdis2.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswNdis2.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAB 0xAF 0x2A 0xB0 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8C 0xFD 0x08 0x0D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x07 0x59 0xE0 0xA0 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCF 0x27 0x15 0x4F ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xAB 0xAF 0x2A 0xB0 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----