GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-02-28 18:20:49 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_HD322HJ rev.1AC01118 Running: yokgcomr.exe; Driver: C:\Users\Szef\AppData\Local\Temp\aflcraob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8B6D59CA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x902B7A68] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8B6D7EAC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8B6D7F04] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8B6D801A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8B6D7E02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8B6D7F54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8B6D7E56] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8B6D7FC8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8B6D59EE] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x902B7B18] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8B6D57B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8B6D5A12] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8B6D8412] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8B6D64AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8B6D7EDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8B6D7F2C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8B6D8044] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8B6D7E2E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8B6D7F94] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8B6D7E84] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8B6D7FF2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x902B7BB0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8B6D6370] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8B6D5A36] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8B6D5A5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8B6D5812] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8B6D594E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8B6D592A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8B6D5972] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8B6D5A7E] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x902CC8DE] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A88599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AACF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 214 82AB4724 4 Bytes [CA, 59, 6D, 8B] .text ntkrnlpa.exe!RtlSidHashLookup + 23C 82AB474C 4 Bytes [68, 7A, 2B, 90] .text ntkrnlpa.exe!RtlSidHashLookup + 2F0 82AB4800 8 Bytes [AC, 7E, 6D, 8B, 04, 7F, 6D, ...] .text ntkrnlpa.exe!RtlSidHashLookup + 2FC 82AB480C 4 Bytes [1A, 80, 6D, 8B] .text ntkrnlpa.exe!RtlSidHashLookup + 318 82AB4828 4 Bytes [02, 7E, 6D, 8B] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C4DFBF 5 Bytes JMP 902C829E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 82C67CF3 5 Bytes JMP 902C9D50 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82CB217A 4 Bytes CALL 8B6D6E3B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82CBA255 4 Bytes CALL 8B6D6E51 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82D1FEAC 7 Bytes JMP 902CC8E2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ? System32\Drivers\spbl.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90A05000, 0x2D5378, 0xE8000020] .text USBPORT.SYS!DllUnload 903ABCA0 5 Bytes JMP 8687A1D8 .text autochk.exe 004211D2 27 Bytes [EB, 04, C6, 06, 31, 46, 8B, ...] .text autochk.exe 004211F0 16 Bytes [8B, 09, 8A, 09, 88, 08, 8B, ...] .text autochk.exe 00421201 10 Bytes [89, 4D, F8, 77, 08, 3B, C2, ...] .text autochk.exe 0042120C 1 Byte [00] .text autochk.exe 0042120C 11 Bytes [00, 00, 89, 55, F4, C7, 45, ...] .text ... .text user32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00340120 .text user32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0034006C .text user32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 003400E4 .text user32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00340030 .text user32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 003400A8 ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\wininit.exe[468] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0003006C .text C:\Windows\system32\wininit.exe[468] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00030030 .text C:\Windows\system32\wininit.exe[468] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 000F0120 .text C:\Windows\system32\wininit.exe[468] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 000F006C .text C:\Windows\system32\wininit.exe[468] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 000F00E4 .text C:\Windows\system32\wininit.exe[468] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 000F0030 .text C:\Windows\system32\wininit.exe[468] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 000F00A8 .text C:\Windows\system32\services.exe[516] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\services.exe[516] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\system32\services.exe[516] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 001B0120 .text C:\Windows\system32\services.exe[516] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 001B006C .text C:\Windows\system32\services.exe[516] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 001B00E4 .text C:\Windows\system32\services.exe[516] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 001B0030 .text C:\Windows\system32\services.exe[516] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 001B00A8 .text C:\Windows\system32\lsass.exe[540] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\lsass.exe[540] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\system32\lsass.exe[540] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00140120 .text C:\Windows\system32\lsass.exe[540] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0014006C .text C:\Windows\system32\lsass.exe[540] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 001400E4 .text C:\Windows\system32\lsass.exe[540] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00140030 .text C:\Windows\system32\lsass.exe[540] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 001400A8 .text C:\Windows\system32\lsm.exe[548] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\lsm.exe[548] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\system32\lsm.exe[548] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00520120 .text C:\Windows\system32\lsm.exe[548] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0052006C .text C:\Windows\system32\lsm.exe[548] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 005200E4 .text C:\Windows\system32\lsm.exe[548] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00520030 .text C:\Windows\system32\lsm.exe[548] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 005200A8 .text C:\Windows\system32\winlogon.exe[580] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0003006C .text C:\Windows\system32\winlogon.exe[580] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00030030 .text C:\Windows\system32\winlogon.exe[580] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 000F0120 .text C:\Windows\system32\winlogon.exe[580] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 000F006C .text C:\Windows\system32\winlogon.exe[580] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 000F00E4 .text C:\Windows\system32\winlogon.exe[580] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 000F0030 .text C:\Windows\system32\winlogon.exe[580] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 000F00A8 .text C:\Windows\system32\svchost.exe[708] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\svchost.exe[708] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\system32\svchost.exe[708] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 004A0120 .text C:\Windows\system32\svchost.exe[708] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 004A006C .text C:\Windows\system32\svchost.exe[708] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 004A00E4 .text C:\Windows\system32\svchost.exe[708] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 004A0030 .text C:\Windows\system32\svchost.exe[708] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 004A00A8 .text C:\Windows\system32\svchost.exe[800] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\svchost.exe[800] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\system32\svchost.exe[800] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00200120 .text C:\Windows\system32\svchost.exe[800] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0020006C .text C:\Windows\system32\svchost.exe[800] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 002000E4 .text C:\Windows\system32\svchost.exe[800] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00200030 .text C:\Windows\system32\svchost.exe[800] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 002000A8 .text C:\Windows\system32\atiesrxx.exe[848] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0016006C .text C:\Windows\system32\atiesrxx.exe[848] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00160030 .text C:\Windows\system32\atiesrxx.exe[848] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00220120 .text C:\Windows\system32\atiesrxx.exe[848] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0022006C .text C:\Windows\system32\atiesrxx.exe[848] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 002200E4 .text C:\Windows\system32\atiesrxx.exe[848] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00220030 .text C:\Windows\system32\atiesrxx.exe[848] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 002200A8 .text C:\Windows\System32\svchost.exe[932] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\System32\svchost.exe[932] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\System32\svchost.exe[932] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00310120 .text C:\Windows\System32\svchost.exe[932] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0031006C .text C:\Windows\System32\svchost.exe[932] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 003100E4 .text C:\Windows\System32\svchost.exe[932] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00310030 .text C:\Windows\System32\svchost.exe[932] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 003100A8 .text C:\Windows\System32\svchost.exe[972] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\System32\svchost.exe[972] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\System32\svchost.exe[972] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 001B0120 .text C:\Windows\System32\svchost.exe[972] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 001B006C .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 001B00E4 .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 001B0030 .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 001B00A8 .text C:\Windows\system32\svchost.exe[1020] ntdll.dll!NtProtectVirtualMemory 77545380 5 Bytes JMP 002C000A .text C:\Windows\system32\svchost.exe[1020] ntdll.dll!NtWriteVirtualMemory 77545F00 5 Bytes JMP 002D000A .text C:\Windows\system32\svchost.exe[1020] ntdll.dll!KiUserExceptionDispatcher 77546448 5 Bytes JMP 0019000A .text C:\Windows\system32\svchost.exe[1020] ole32.dll!CoCreateInstance 773F590C 5 Bytes JMP 009B000A .text C:\Windows\system32\svchost.exe[1020] USER32.dll!GetCursorPos 7607C198 5 Bytes JMP 00F1000A .text C:\Windows\system32\svchost.exe[1020] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00180120 .text C:\Windows\system32\svchost.exe[1020] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0018006C .text C:\Windows\system32\svchost.exe[1020] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 001800E4 .text C:\Windows\system32\svchost.exe[1020] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00180030 .text C:\Windows\system32\svchost.exe[1020] USER32.dll!GetForegroundWindow 7608565D 5 Bytes JMP 00FC000A .text C:\Windows\system32\svchost.exe[1020] USER32.dll!WindowFromPoint 760A6D0C 5 Bytes JMP 00F6000A .text C:\Windows\system32\svchost.exe[1020] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 001800A8 .text C:\Windows\System32\spoolsv.exe[1096] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\System32\spoolsv.exe[1096] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\System32\spoolsv.exe[1096] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00170120 .text C:\Windows\System32\spoolsv.exe[1096] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0017006C .text C:\Windows\System32\spoolsv.exe[1096] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 001700E4 .text C:\Windows\System32\spoolsv.exe[1096] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00170030 .text C:\Windows\System32\spoolsv.exe[1096] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 001700A8 .text C:\Windows\system32\taskhost.exe[1156] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0005006C .text C:\Windows\system32\taskhost.exe[1156] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00050030 .text C:\Windows\system32\taskhost.exe[1156] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00150120 .text C:\Windows\system32\taskhost.exe[1156] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0015006C .text C:\Windows\system32\taskhost.exe[1156] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 001500E4 .text C:\Windows\system32\taskhost.exe[1156] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00150030 .text C:\Windows\system32\taskhost.exe[1156] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 001500A8 .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\svchost.exe[1180] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\system32\svchost.exe[1180] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00180120 .text C:\Windows\system32\svchost.exe[1180] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0018006C .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 001800E4 .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00180030 .text C:\Windows\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 001800A8 .text C:\Windows\system32\atieclxx.exe[1224] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0016006C .text C:\Windows\system32\atieclxx.exe[1224] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00160030 .text C:\Windows\system32\atieclxx.exe[1224] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00320120 .text C:\Windows\system32\atieclxx.exe[1224] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0032006C .text C:\Windows\system32\atieclxx.exe[1224] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 003200E4 .text C:\Windows\system32\atieclxx.exe[1224] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00320030 .text C:\Windows\system32\atieclxx.exe[1224] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 003200A8 .text C:\Windows\system32\svchost.exe[1344] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\svchost.exe[1344] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\system32\svchost.exe[1344] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00230120 .text C:\Windows\system32\svchost.exe[1344] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0023006C .text C:\Windows\system32\svchost.exe[1344] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 002300E4 .text C:\Windows\system32\svchost.exe[1344] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00230030 .text C:\Windows\system32\svchost.exe[1344] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 002300A8 .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1456] kernel32.dll!SetUnhandledExceptionFilter 75AD3162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Windows\System32\svchost.exe[1556] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 000A006C .text C:\Windows\System32\svchost.exe[1556] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 000A0030 .text C:\Windows\System32\svchost.exe[1556] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00410120 .text C:\Windows\System32\svchost.exe[1556] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0041006C .text C:\Windows\System32\svchost.exe[1556] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 004100E4 .text C:\Windows\System32\svchost.exe[1556] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00410030 .text C:\Windows\System32\svchost.exe[1556] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 004100A8 .text C:\Windows\system32\Dwm.exe[1568] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\Dwm.exe[1568] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\system32\Dwm.exe[1568] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 000B0120 .text C:\Windows\system32\Dwm.exe[1568] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 000B006C .text C:\Windows\system32\Dwm.exe[1568] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 000B00E4 .text C:\Windows\system32\Dwm.exe[1568] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 000B0030 .text C:\Windows\system32\Dwm.exe[1568] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 000B00A8 .text C:\Windows\system32\svchost.exe[1580] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\svchost.exe[1580] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\system32\svchost.exe[1580] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00140120 .text C:\Windows\system32\svchost.exe[1580] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0014006C .text C:\Windows\system32\svchost.exe[1580] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 001400E4 .text C:\Windows\system32\svchost.exe[1580] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00140030 .text C:\Windows\system32\svchost.exe[1580] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 001400A8 .text C:\Windows\system32\svchost.exe[1608] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\svchost.exe[1608] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\system32\svchost.exe[1608] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00230120 .text C:\Windows\system32\svchost.exe[1608] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0023006C .text C:\Windows\system32\svchost.exe[1608] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 002300E4 .text C:\Windows\system32\svchost.exe[1608] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00230030 .text C:\Windows\system32\svchost.exe[1608] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 002300A8 .text C:\Windows\Explorer.EXE[1612] ntdll.dll!NtProtectVirtualMemory 77545380 5 Bytes JMP 01F5000A .text C:\Windows\Explorer.EXE[1612] ntdll.dll!NtWriteVirtualMemory 77545F00 5 Bytes JMP 01F6000A .text C:\Windows\Explorer.EXE[1612] ntdll.dll!KiUserExceptionDispatcher 77546448 5 Bytes JMP 019A000A .text C:\Windows\Explorer.EXE[1612] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00140120 .text C:\Windows\Explorer.EXE[1612] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0014006C .text C:\Windows\Explorer.EXE[1612] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 001400E4 .text C:\Windows\Explorer.EXE[1612] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00140030 .text C:\Windows\Explorer.EXE[1612] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 001400A8 .text C:\Users\Szef\Downloads\OTL.exe[1640] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0016006C .text C:\Users\Szef\Downloads\OTL.exe[1640] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00160030 .text C:\Users\Szef\Downloads\OTL.exe[1640] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00340120 .text C:\Users\Szef\Downloads\OTL.exe[1640] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0034006C .text C:\Users\Szef\Downloads\OTL.exe[1640] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 003400E4 .text C:\Users\Szef\Downloads\OTL.exe[1640] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00340030 .text C:\Users\Szef\Downloads\OTL.exe[1640] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 003400A8 .text C:\Program Files\Gadu-Gadu 10\gg.exe[1720] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1720] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Program Files\Gadu-Gadu 10\gg.exe[1720] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 021A0120 .text C:\Program Files\Gadu-Gadu 10\gg.exe[1720] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 021A006C .text C:\Program Files\Gadu-Gadu 10\gg.exe[1720] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 021A00E4 .text C:\Program Files\Gadu-Gadu 10\gg.exe[1720] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 021A0030 .text C:\Program Files\Gadu-Gadu 10\gg.exe[1720] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 021A00A8 .text C:\Windows\system32\SearchIndexer.exe[2728] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\system32\SearchIndexer.exe[2728] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\system32\SearchIndexer.exe[2728] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00170120 .text C:\Windows\system32\SearchIndexer.exe[2728] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0017006C .text C:\Windows\system32\SearchIndexer.exe[2728] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 001700E4 .text C:\Windows\system32\SearchIndexer.exe[2728] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00170030 .text C:\Windows\system32\SearchIndexer.exe[2728] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 001700A8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2940] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2940] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2940] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00170120 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2940] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0017006C .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2940] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 001700E4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2940] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00170030 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2940] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 001700A8 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[3100] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[3100] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[3100] USER32.dll!SetWindowLongA 7607B1E3 5 Bytes JMP 698B8A3E C:\Program Files\Mozilla Firefox 4.0 Beta 10\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[3100] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00280120 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[3100] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0028006C .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[3100] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 002800E4 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[3100] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00280030 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[3100] USER32.dll!SetWindowLongW 76086614 5 Bytes JMP 698B89D0 C:\Program Files\Mozilla Firefox 4.0 Beta 10\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[3100] USER32.dll!GetWindowInfo 76086A82 5 Bytes JMP 696E2D69 C:\Program Files\Mozilla Firefox 4.0 Beta 10\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[3100] USER32.dll!TrackPopupMenu 760A4B3B 5 Bytes JMP 696E3375 C:\Program Files\Mozilla Firefox 4.0 Beta 10\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[3100] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 002800A8 .text C:\Windows\System32\svchost.exe[3232] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Windows\System32\svchost.exe[3232] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Windows\System32\svchost.exe[3232] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 001B0120 .text C:\Windows\System32\svchost.exe[3232] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 001B006C .text C:\Windows\System32\svchost.exe[3232] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 001B00E4 .text C:\Windows\System32\svchost.exe[3232] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 001B0030 .text C:\Windows\System32\svchost.exe[3232] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 001B00A8 .text C:\Windows\system32\wuauclt.exe[3344] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0007006C .text C:\Windows\system32\wuauclt.exe[3344] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00070030 .text C:\Windows\system32\wuauclt.exe[3344] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 000C0120 .text C:\Windows\system32\wuauclt.exe[3344] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 000C006C .text C:\Windows\system32\wuauclt.exe[3344] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 000C00E4 .text C:\Windows\system32\wuauclt.exe[3344] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 000C0030 .text C:\Windows\system32\wuauclt.exe[3344] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 000C00A8 .text C:\Users\Szef\Downloads\yokgcomr.exe[3764] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0016006C .text C:\Users\Szef\Downloads\yokgcomr.exe[3764] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00160030 .text C:\Users\Szef\Downloads\yokgcomr.exe[3764] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00340120 .text C:\Users\Szef\Downloads\yokgcomr.exe[3764] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0034006C .text C:\Users\Szef\Downloads\yokgcomr.exe[3764] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 003400E4 .text C:\Users\Szef\Downloads\yokgcomr.exe[3764] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00340030 .text C:\Users\Szef\Downloads\yokgcomr.exe[3764] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 003400A8 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3868] ntdll.dll!NtProtectVirtualMemory 77545380 5 Bytes JMP 002D000A .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3868] ntdll.dll!NtWriteVirtualMemory 77545F00 5 Bytes JMP 002E000A .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3868] ntdll.dll!KiUserExceptionDispatcher 77546448 5 Bytes JMP 002C000A .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3868] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00130120 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3868] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0013006C .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3868] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 001300E4 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3868] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00130030 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\firefox.exe[3868] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 001300A8 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[4084] ntdll.dll!LdrUnloadDll 7755BF1F 5 Bytes JMP 0006006C .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[4084] ntdll.dll!LdrLoadDll 7755F625 5 Bytes JMP 00060030 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[4084] USER32.dll!UnhookWindowsHookEx 7607CC7B 5 Bytes JMP 00130120 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[4084] USER32.dll!UnhookWinEvent 7607D924 5 Bytes JMP 0013006C .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[4084] USER32.dll!SetWindowsHookExW 7608210A 5 Bytes JMP 001300E4 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[4084] USER32.dll!SetWinEventHook 7608507E 5 Bytes JMP 00130030 .text C:\Program Files\Mozilla Firefox 4.0 Beta 10\plugin-container.exe[4084] USER32.dll!SetWindowsHookExA 760A6DFA 5 Bytes JMP 001300A8 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [83238042] \SystemRoot\System32\Drivers\spbl.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [832386D6] \SystemRoot\System32\Drivers\spbl.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [83238800] \SystemRoot\System32\Drivers\spbl.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8323813E] \SystemRoot\System32\Drivers\spbl.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1612] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [742D2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1612] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [742B5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1612] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [742B56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1612] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [742D250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1612] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [742C8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1612] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [742C4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1612] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [742C50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1612] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [742C51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1612] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [742C66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1612] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [742C82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1612] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [742C8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1612] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [742C907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1612] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [742CE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1612] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [742C4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 855821F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{6C9CCB47-6C70-4966-8268-C4D36266797E} 868081F8 Device \Driver\volmgr \Device\VolMgrControl 8557E1F8 Device \Driver\usbuhci \Device\USBPDO-0 8689E1F8 Device \Driver\usbuhci \Device\USBPDO-1 8689E1F8 Device \Driver\usbuhci \Device\USBPDO-2 8689E1F8 Device \Driver\usbuhci \Device\USBPDO-3 8689E1F8 Device \Driver\usbehci \Device\USBPDO-4 8686D500 Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\volmgr \Device\HarddiskVolume1 8557E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 867131F8 Device \Driver\volmgr \Device\HarddiskVolume2 8557E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\atapi \Device\Ide\IdePort0 855801F8 Device \Driver\atapi \Device\Ide\IdePort1 855801F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 855801F8 Device \Driver\volmgr \Device\HarddiskVolume3 8557E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume4 8557E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume5 8557E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\USBSTOR \Device\00000068 86EEF1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 868081F8 AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\NetBT \Device\NetBT_Tcpip_{A9F46B10-0C25-434F-9564-44BFD4D626A6} 868081F8 Device \Driver\USBSTOR \Device\0000006a 86EEF1F8 Device \Driver\USBSTOR \Device\0000006b 86EEF1F8 Device \Driver\USBSTOR \Device\0000006c 86EEF1F8 Device \Driver\usbuhci \Device\USBFDO-0 8689E1F8 Device \Driver\USBSTOR \Device\0000006d 86EEF1F8 Device \Driver\usbuhci \Device\USBFDO-1 8689E1F8 Device \Driver\usbuhci \Device\USBFDO-2 8689E1F8 Device \Driver\usbuhci \Device\USBFDO-3 8689E1F8 Device \Driver\usbehci \Device\USBFDO-4 8686D500 Device \FileSystem\cdfs \Cdfs 867041F8 Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskSAMSUNG_HD322HJ_________________________1AC01118#5&17ef7b8e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF2 0x31 0xCE 0xCB ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF2 0x31 0xCE 0xCB ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 09: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 13: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sectors 625140079 (+255): rootkit-like behavior; ---- EOF - GMER 1.0.15 ----