GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-23 21:48:07 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0003 465,76GB Running: xx0zel4x.exe; Driver: C:\Users\Asia\AppData\Local\Temp\kftcqaog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 544 fffff800035ac000 93 bytes [89, 6C, 24, 70, E9, 4B, FF, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 638 fffff800035ac05e 57 bytes [05, 05, 20, 1B, 00, 49, 8D, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ac1465 2 bytes [AC, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ac14bb 2 bytes [AC, 75] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3892] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000753e11a8 2 bytes [3E, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3892] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000753e13a8 2 bytes [3E, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3892] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 00000000753e1422 2 bytes [3E, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3892] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 00000000753e1498 2 bytes [3E, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ac1465 2 bytes [AC, 75] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5156] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ac14bb 2 bytes [AC, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ac1465 2 bytes [AC, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[5972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ac14bb 2 bytes [AC, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3196] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077abfb28 5 bytes JMP 000000010393083c .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3196] C:\Windows\syswow64\kernel32.dll!CreateEventW + 19 0000000076c21821 7 bytes JMP 00000001039304b4 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3196] C:\Windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000076c242fa 7 bytes JMP 0000000103930596 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3196] C:\Windows\syswow64\kernel32.dll!LoadLibraryA + 81 0000000076c249c8 7 bytes JMP 0000000103930678 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3196] C:\Windows\syswow64\kernel32.dll!VirtualFreeEx + 19 0000000076c3d973 7 bytes JMP 00000001039302f0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3196] C:\Windows\syswow64\kernel32.dll!ExpandEnvironmentStringsA + 92 0000000076c3eb2d 7 bytes JMP 00000001039303d2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3196] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075983e6b 5 bytes JMP 000000010393075a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3196] C:\Windows\syswow64\ole32.DLL!CoCreateInstance + 62 0000000075649d49 7 bytes JMP 0000000103930a00 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3196] C:\Windows\syswow64\urlmon.dll!URLOpenStreamA + 170 0000000076da4abf 7 bytes JMP 0000000103930e6a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3196] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA + 331 0000000076da4c0f 7 bytes JMP 0000000103940048 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ac1465 2 bytes [AC, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[3196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ac14bb 2 bytes [AC, 75] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4944] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077abfb28 5 bytes JMP 0000000102cf0676 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4944] C:\Windows\syswow64\kernel32.dll!CreateEventW + 19 0000000076c21821 7 bytes JMP 0000000102cf02ee .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4944] C:\Windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000076c242fa 7 bytes JMP 0000000102cf03d0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4944] C:\Windows\syswow64\kernel32.dll!LoadLibraryA + 81 0000000076c249c8 7 bytes JMP 0000000102cf04b2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4944] C:\Windows\syswow64\kernel32.dll!VirtualFreeEx + 19 0000000076c3d973 7 bytes JMP 0000000102cf012a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4944] C:\Windows\syswow64\kernel32.dll!ExpandEnvironmentStringsA + 92 0000000076c3eb2d 7 bytes JMP 0000000102cf020c .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4944] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075983e6b 5 bytes JMP 0000000102cf0594 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4944] C:\Windows\syswow64\ole32.DLL!CoCreateInstance + 62 0000000075649d49 7 bytes JMP 0000000102cf083a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4944] C:\Windows\syswow64\urlmon.dll!URLOpenStreamA + 170 0000000076da4abf 7 bytes JMP 0000000102cf0ca4 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4944] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA + 331 0000000076da4c0f 7 bytes JMP 0000000102cf0e68 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ac1465 2 bytes [AC, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[4944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ac14bb 2 bytes [AC, 75] .text ... * 2 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 166 000000002f841afc 2 bytes [84, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 253 000000002f841b53 2 bytes [84, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 320 000000002f841b96 2 bytes [84, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 390 000000002f841bdc 2 bytes [84, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 738 000000002f841d38 2 bytes [84, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 937 000000002f841dff 2 bytes [84, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 958 000000002f841e14 2 bytes [84, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE!wdGetApplicationObject + 970 000000002f841e20 2 bytes [84, 2F] .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076c28769 5 bytes JMP 000000015a0d53fc .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075606143 5 bytes JMP 000000015ab9f68e .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 00000000773b3e59 5 bytes JMP 000000015a1010b7 .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 00000000773b3eae 5 bytes JMP 000000015a10b0be .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 00000000773b4731 5 bytes JMP 000000015a13b5dc .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 00000000773b5dee 5 bytes JMP 000000015a13c50f .text C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE[5732] C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\OGL.DLL!GdipDeleteGraphics + 571 00000000589b0b54 4 bytes [1F, D5, 2F, E7] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1472] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationProcess 0000000077abfb28 5 bytes JMP 0000000102e50676 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1472] C:\Windows\syswow64\kernel32.dll!CreateEventW + 19 0000000076c21821 7 bytes JMP 0000000102e502ee .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1472] C:\Windows\syswow64\kernel32.dll!CreateDirectoryW + 257 0000000076c242fa 7 bytes JMP 0000000102e503d0 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1472] C:\Windows\syswow64\kernel32.dll!LoadLibraryA + 81 0000000076c249c8 7 bytes JMP 0000000102e504b2 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1472] C:\Windows\syswow64\kernel32.dll!VirtualFreeEx + 19 0000000076c3d973 7 bytes JMP 0000000102e5012a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1472] C:\Windows\syswow64\kernel32.dll!ExpandEnvironmentStringsA + 92 0000000076c3eb2d 7 bytes JMP 0000000102e5020c .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1472] C:\Windows\syswow64\KERNELBASE.dll!CreateRemoteThreadEx 0000000075983e6b 5 bytes JMP 0000000102e50594 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1472] C:\Windows\syswow64\ole32.DLL!CoCreateInstance + 62 0000000075649d49 7 bytes JMP 0000000102e5083a .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1472] C:\Windows\syswow64\urlmon.dll!URLOpenStreamA + 170 0000000076da4abf 7 bytes JMP 0000000102e50ca4 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1472] C:\Windows\syswow64\urlmon.dll!URLDownloadToCacheFileA + 331 0000000076da4c0f 7 bytes JMP 0000000102e50e68 .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ac1465 2 bytes [AC, 75] .text C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE[1472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ac14bb 2 bytes [AC, 75] .text ... * 2 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077abfcb0 5 bytes JMP 000000010027091c .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077abfe14 5 bytes JMP 0000000100270048 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077abfea8 5 bytes JMP 00000001002702ee .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077ac0004 5 bytes JMP 00000001002704b2 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ac0038 5 bytes JMP 00000001002709fe .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077ac0068 5 bytes JMP 0000000100270ae0 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077ac0084 5 bytes JMP 0000000100020050 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077ac079c 5 bytes JMP 000000010027012a .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077ac088c 5 bytes JMP 0000000100270758 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077ac08a4 5 bytes JMP 0000000100270676 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077ac0df4 5 bytes JMP 00000001002703d0 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077ac1920 5 bytes JMP 0000000100270594 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077ac1be4 5 bytes JMP 000000010027083a .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtSuspendThread 0000000077ac1d70 5 bytes JMP 000000010027020c .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 206 000000007728524f 7 bytes JMP 0000000100270f52 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA + 380 00000000772853d0 7 bytes JMP 0000000100280210 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 149 0000000077285677 1 byte JMP 0000000100280048 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W + 151 0000000077285679 5 bytes {JMP 0xffffffff88ffa9d1} .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\sechost.dll!CreateServiceA + 542 000000007728589a 7 bytes JMP 0000000100270ca6 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 382 0000000077285a1d 7 bytes JMP 00000001002803d8 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\sechost.dll!QueryServiceConfigW + 370 0000000077285c9b 7 bytes JMP 000000010028012c .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\sechost.dll!ControlServiceExA + 231 0000000077285d87 7 bytes JMP 00000001002802f4 .text F:\xx0zel4x.exe[1936] C:\Windows\SysWOW64\sechost.dll!I_ScBroadcastServiceControlMessage + 123 0000000077287240 7 bytes JMP 0000000100270e6e .text F:\xx0zel4x.exe[1936] C:\Windows\syswow64\USER32.dll!RecordShutdownReason + 882 0000000077301492 7 bytes JMP 00000001002804bc ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!memcpy] [85486575ffc78308] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!_amsg_exit] [58d480189480000] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!free] [1041894800006394] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!_initterm] [48000063a1058d48] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!malloc] [63b6058d48184189] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!_XcptFilter] [8d48204189480000] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!memmove] [418948000063c305] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!memset] [c9854840498b4828] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[ntdll.dll!RtlCaptureContext] [5f5815ff0000] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[ntdll.dll!RtlLookupFunctionEntry] [60de15ff504b8d48] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[ntdll.dll!RtlVirtualUnwind] [bd15ffcb8b480000] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!Sleep] [8d4820ec83485340] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!TerminateProcess] [bd15ff000064430d] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetSystemTimeAsFileTime] [8548d88b48000060] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetCurrentProcessId] [38244c8d4c6374c0] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetCurrentThreadId] [4100008fd9158d48] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetTickCount] [c88b4800000003b8] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!QueryPerformanceCounter] [c085000061ca15ff] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CreateThread] [4c3824548b484478] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CancelIo] [48c933454024448d] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CreateIoCompletionPort] [62c815ffcb8b] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!DeviceIoControl] [244c8b482a78c085] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!PostQueuedCompletionStatus] [8d4c30244c8d4c40] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!DefineDosDeviceA] [63fe158d48482444] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!SetUnhandledExceptionFilter] [850000577de80000] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!UnhandledExceptionFilter] [4824448b480b74c0] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!WaitForSingleObject] [c03302eb0a40b70f] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!SetEvent] [ccccc35b20c48348] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CreateEventA] [245c8948c3c03300] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!LocalAlloc] [d158d48d98b48f8] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CloseHandle] [56e9e8ce8b4800] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!LocalFree] [158d482474c08500] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CreateFileA] [10b84100006504] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetQueuedCompletionStatus] [56d0e8ce8b480000] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!WideCharToMultiByte] [83480b74c0850000] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!DisableThreadLibraryCalls] [eb80004002b80027] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!MultiByteToWideChar] [30245c8b48c03301] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!lstrlenW] [c483483824748b48] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetLastError] [245c8948ccc35f20] IAT C:\Windows\system32\svchost.exe[1192] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetCurrentProcess] [8b4820ec83485708] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\services.exe [692:2376] 0000000000255824 Thread C:\Windows\system32\services.exe [692:2140] 0000000000bb2804 Thread C:\Windows\system32\services.exe [692:2176] 0000000000bb2fe8 Thread C:\Windows\system32\services.exe [692:2272] 0000000000bb2fe8 Thread C:\Windows\system32\services.exe [692:2320] 0000000000bb2fe8 Thread C:\Windows\system32\services.exe [692:2332] 0000000000bb2fe8 Thread C:\Windows\system32\services.exe [692:2352] 0000000000bc1390 Thread C:\Windows\system32\services.exe [692:2340] 0000000000bc1238 Thread C:\Windows\system32\services.exe [692:2528] 0000000000bd17e8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0008ca32ea9d Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\bc773702cb9a Reg HKLM\SYSTEM\CurrentControlSet\services\ Reg HKLM\SYSTEM\CurrentControlSet\services\@Parameters\0\x202e\x2764 308 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0008ca32ea9d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\bc773702cb9a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\ (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\@Parameters\0\x202e\x2764 308 ---- Files - GMER 2.1 ---- File C:\Program Files\Windows Defender\pl-PL\MpAsDesc.dll.mui 41472 bytes executable File C:\Program Files\Windows Defender\pl-PL\MpEvMsg.dll.mui 17920 bytes executable File C:\Program Files\Windows Defender\pl-PL\MsMpRes.dll.mui 53248 bytes executable ---- EOF - GMER 2.1 ----