GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-06-14 14:04:05 Windows 5.1.2600 Dodatek Service Pack 3 Running: xcdp6hqq.exe; Driver: D:\DOCUME~1\user\USTAWI~1\Temp\awldapow.sys ---- Kernel code sections - GMER 1.0.15 ---- .text KSecDD.sys!UnsealMessage + FFFF6156 F9AAD3BA 1 Byte [A0] .text KSecDD.sys!KSecRegisterSecurityProvider + B F9AAD9E9 1 Byte [E4] .text KSecDD.sys!KSecRegisterSecurityProvider + 19 F9AAD9F7 1 Byte [A8] .text KSecDD.sys!KSecRegisterSecurityProvider + 25 F9AADA03 1 Byte [9C] .text KSecDD.sys!KSecRegisterSecurityProvider + 46 F9AADA24 1 Byte [A0] .text KSecDD.sys!KSecRegisterSecurityProvider + 4F F9AADA2D 1 Byte [9C] .text ... .text KSecDD.sys!SecSetPagingMode + 9 F9AADD33 1 Byte [B0] .text KSecDD.sys!SecSetPagingMode + 1D F9AADD47 1 Byte [04] .text KSecDD.sys!SecSetPagingMode + 23 F9AADD4D 1 Byte [04] .text KSecDD.sys!SecSetPagingMode + 36 F9AADD60 1 Byte [04] .text KSecDD.sys!SecSetPagingMode + 42 F9AADD6C 1 Byte [A4] .text ... .text KSecDD.sys!GetSecurityUserInfo + 158 F9AADF66 1 Byte [30] .text KSecDD.sys!GetSecurityUserInfo + 15D F9AADF6B 1 Byte [6D] .text KSecDD.sys!GetSecurityUserInfo + 17B F9AADF89 1 Byte [0C] .text KSecDD.sys!SecMakeSPNEx + 763 F9AAE795 1 Byte [9F] .text KSecDD.sys!SecMakeSPNEx + 76F F9AAE7A1 1 Byte [AB] .text KSecDD.sys!SecMakeSPNEx + 796 F9AAE7C8 2 Bytes CALL F9AB5AA8 KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) .text KSecDD.sys!SecMakeSPNEx + 7C9 F9AAE7FB 1 Byte [74] .text KSecDD.sys!SecMakeSPNEx + 825 F9AAE857 1 Byte [8A] .text ... PAGE KSecDD.sys!CredMarshalTargetInfo + 6B1 F9AB3ACB 1 Byte [0C] PAGE KSecDD.sys!CredMarshalTargetInfo + 7AC F9AB3BC6 1 Byte [16] PAGE KSecDD.sys!CredMarshalTargetInfo + 7BB F9AB3BD5 1 Byte [6A] PAGE KSecDD.sys!CredMarshalTargetInfo + 7C0 F9AB3BDA 1 Byte [24] PAGE KSecDD.sys!CredMarshalTargetInfo + 7CA F9AB3BE4 1 Byte [1C] PAGE ... PAGE KSecDD.sys!AcquireCredentialsHandleW + 3D F9AB3F4F 19 Bytes [DF, 89, 5D, F4, 74, 1C, FF, ...] PAGE KSecDD.sys!AcquireCredentialsHandleW + 51 F9AB3F63 116 Bytes [85, C0, 7C, 0A, 8B, 73, 08, ...] PAGE KSecDD.sys!AcquireCredentialsHandleW + C7 F9AB3FD9 74 Bytes CALL F9AAE685 KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) PAGE KSecDD.sys!AddCredentialsW + C F9AB4024 1 Byte [0C] PAGE KSecDD.sys!AddCredentialsW + C F9AB4024 11 Bytes [0C, 75, 03, 8D, 4D, F0, 3B, ...] PAGE KSecDD.sys!AddCredentialsW + 18 F9AB4030 3 Bytes [F8, 56, 8D] PAGE KSecDD.sys!AddCredentialsW + 1C F9AB4034 114 Bytes [0C, 56, 51, FF, 75, 20, FF, ...] PAGE KSecDD.sys!QueryCredentialsAttributesW F9AB40A8 13 Bytes [CC, CC, CC, CC, 8B, FF, 55, ...] PAGE KSecDD.sys!QueryCredentialsAttributesW + E F9AB40B6 148 Bytes [0C, 53, 56, 8B, 75, 14, 33, ...] PAGE KSecDD.sys!QueryCredentialsAttributesW + A3 F9AB414B 80 Bytes [85, F6, C7, 45, FC, 30, 00, ...] PAGE KSecDD.sys!QueryCredentialsAttributesW + F4 F9AB419C 59 Bytes [76, 49, 8B, 4D, 18, 8B, 41, ...] PAGE KSecDD.sys!QueryCredentialsAttributesW + 130 F9AB41D8 46 Bytes [83, E1, FC, 01, 4D, FC, 83, ...] PAGE ... PAGE KSecDD.sys!EnumerateSecurityPackagesW + 2 F9AB4536 3 Bytes [FF, 33, C0] PAGE KSecDD.sys!EnumerateSecurityPackagesW + 6 F9AB453A 5 Bytes [C2, 04, 00, CC, CC] {RET 0x4; INT 3 ; INT 3 } PAGE KSecDD.sys!EnumerateSecurityPackagesW + E F9AB4542 13 Bytes [8B, FF, 55, 8B, EC, 5D, E9, ...] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; POP EBP; JMP 0xffffffffffffea3e; INT 3 ; INT 3 } PAGE KSecDD.sys!QuerySecurityPackageInfoW + E F9AB4552 37 Bytes [8B, FF, 55, 8B, EC, 8D, 45, ...] PAGE KSecDD.sys!LsaEnumerateLogonSessions + C F9AB4578 84 Bytes [8B, FF, 55, 8B, EC, 81, EC, ...] PAGE KSecDD.sys!InitializeSecurityContextW + 2B F9AB45CD 5 Bytes [4D, E0, 8B, 4E, 04] PAGE KSecDD.sys!InitializeSecurityContextW + 31 F9AB45D3 133 Bytes [4D, E4, 3B, C3, 8B, 4D, 28, ...] PAGE KSecDD.sys!InitializeSecurityContextW + B7 F9AB4659 2 Bytes [5D, A8] PAGE KSecDD.sys!InitializeSecurityContextW + BA F9AB465C 1 Byte [BD] PAGE KSecDD.sys!InitializeSecurityContextW + BF F9AB4661 30 Bytes [F3, A5, 8B, C8, 8D, 45, CC, ...] PAGE ... PAGE KSecDD.sys!AcceptSecurityContext + 2B F9AB4811 5 Bytes [4D, E0, 8B, 4E, 04] PAGE KSecDD.sys!AcceptSecurityContext + 31 F9AB4817 62 Bytes [4D, E4, 3B, C3, 8B, 4D, 1C, ...] PAGE KSecDD.sys!AcceptSecurityContext + 70 F9AB4856 32 Bytes [72, 08, 8D, 85, F0, FE, FF, ...] PAGE KSecDD.sys!AcceptSecurityContext + 91 F9AB4877 47 Bytes JMP ADF10F7E PAGE KSecDD.sys!AcceptSecurityContext + C1 F9AB48A7 56 Bytes [F8, 50, 89, 75, 08, E8, FB, ...] PAGE ... PAGE KSecDD.sys!ExportSecurityContext + 2 F9AB4D38 38 Bytes [75, 0C, FF, 72, 04, FF, 50, ...] PAGE KSecDD.sys!ExportSecurityContext + 29 F9AB4D5F 78 Bytes [83, 3D, A8, 13, AB, F9, 00, ...] PAGE KSecDD.sys!ImportSecurityContextW + 34 F9AB4DAE 32 Bytes [55, F8, 89, 11, EB, 05, B8, ...] PAGE KSecDD.sys!ImportSecurityContextW + 55 F9AB4DCF 134 Bytes [03, 56, 57, 33, D2, BF, 00, ...] PAGE KSecDD.sys!ImportSecurityContextW + DD F9AB4E57 28 Bytes [08, 89, 4D, DC, 8B, 4B, 0C, ...] PAGE KSecDD.sys!ImportSecurityContextW + FA F9AB4E74 8 Bytes [45, D8, 89, 7D, CC, 89, 75, ...] PAGE KSecDD.sys!ImportSecurityContextW + 103 F9AB4E7D 57 Bytes [55, F0, 89, 55, F4, 8D, 5D, ...] PAGE ... PAGE KSecDD.sys!SecMakeSPN F9AB51C0 5 Bytes [CC, CC, CC, CC, 8B] PAGE KSecDD.sys!SecMakeSPN + 6 F9AB51C6 25 Bytes [55, 8B, EC, 83, EC, 24, A1, ...] PAGE KSecDD.sys!SecMakeSPN + 20 F9AB51E0 118 Bytes [F2, 07, 00, 00, 85, C0, 74, ...] PAGE KSecDD.sys!SecMakeSPN + 97 F9AB5257 65 Bytes [FF, 55, 8B, EC, 83, EC, 20, ...] PAGE KSecDD.sys!SecMakeSPN + DA F9AB529A 90 Bytes JMP F9AB534B KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) PAGE ... ---- User code sections - GMER 1.0.15 ---- ? D:\WINDOWS\system32\lsass.exe[592] D:\WINDOWS\system32\LSASRV.dll image checksum mismatch; time/date stamp mismatch; unknown module: NTDSA.dllunknown module: DNSAPI.dllunknown module: CRYPTUI.dllunknown module: certcli.dllunknown module: PAUTOENR.dllunknown module: MPR.dllunknown module: MSASN1.dllunknown module: NTDSAPI.dll .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[1860] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D54C5 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[1860] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADB1C D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[1860] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A480F D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[1860] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A4741 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[1860] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A47AC D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[1860] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A4612 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[1860] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A4674 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[1860] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A4872 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[1860] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A46D6 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1876] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00] .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D54C5 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9AC9 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D0ED D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADB1C D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 4061467C D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A480F D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A4741 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A47AC D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A4612 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A4674 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A4872 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A46D6 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] ole32.dll!CoCreateInstance 774F057E 5 Bytes JMP 406ADB78 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] ole32.dll!OleLoadFromStream 77519C85 5 Bytes JMP 407A4B77 D:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ksecdd.sys!AcquireCredentialsHandleW] [F9AB3EE8] KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ksecdd.sys!SecMakeSPN] [F9AB5196] KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ksecdd.sys!FreeCredentialsHandle] [F9AB405A] KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ksecdd.sys!DeleteSecurityContext] [F9AB44C4] KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ksecdd.sys!InitializeSecurityContextW] [F9AB4578] KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ksecdd.sys!FreeContextBuffer] [F9AB452A] KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ksecdd.sys!QueryContextAttributesW] [F9AB7028] KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) IAT \SystemRoot\System32\DRIVERS\srv.sys[ksecdd.sys!QueryContextAttributesW] [F9AB7028] KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) IAT \SystemRoot\System32\DRIVERS\srv.sys[ksecdd.sys!FreeContextBuffer] [F9AB452A] KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) IAT \SystemRoot\System32\DRIVERS\srv.sys[ksecdd.sys!ImpersonateSecurityContext] [F9AB6F44] KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) IAT \SystemRoot\System32\DRIVERS\srv.sys[ksecdd.sys!DeleteSecurityContext] [F9AB44C4] KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) IAT \SystemRoot\System32\DRIVERS\srv.sys[ksecdd.sys!AcquireCredentialsHandleW] [F9AB3EE8] KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) IAT \SystemRoot\System32\DRIVERS\srv.sys[ksecdd.sys!AddCredentialsW] [F9AB3FEE] KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) IAT \SystemRoot\System32\DRIVERS\srv.sys[ksecdd.sys!AcceptSecurityContext] [F9AB47BC] KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [KERNEL32.dll!SearchPathW] [7C80AA36] D:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [KERNEL32.dll!TlsAlloc] [7C80E77C] D:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [KERNEL32.dll!RaiseException] [7C812E3F] D:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [KERNEL32.dll!QueueUserWorkItem] [7C812AA9] D:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [KERNEL32.dll!CreateTimerQueueTimer] [7C830A6A] D:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [KERNEL32.dll!RegisterWaitForSingleObjectEx] [7C82117D] D:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [KERNEL32.dll!DeleteTimerQueueTimer] [7C82B086] D:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [KERNEL32.dll!UnregisterWaitEx] [7C821130] D:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [KERNEL32.dll!WaitForSingleObjectEx] [7C83006A] D:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [KERNEL32.dll!MapViewOfFileEx] [7C90FF2D] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [KERNEL32.dll!VirtualAllocEx] [7C80B936] D:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [KERNEL32.dll!lstrcmpiW] [7C809B12] D:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtDeviceIoControlFile] [7C914ED9] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!RtlCopyUnicodeString] [7C925C82] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!RtlCreateHeap] [7C90D51E] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtMapViewOfSection] [7C90DF0E] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtUnmapViewOfSection] [7C9264EE] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!RtlDestroyHeap] [7C9100C4] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!RtlAllocateHeap] [7C90120E] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!DbgBreakPoint] [7C90D60E] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtOpenProcessToken] [7C90D92E] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtQuerySystemInformation] [7C90D6DE] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtPrivilegedServiceAuditAlarm] [7C90D6BE] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtPrivilegeCheck] [7C90D5FE] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtOpenProcess] [7C90D65E] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtOpenThread] [7C90D7FE] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtQueryInformationProcess] [7C90DFAE] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtWriteVirtualMemory] [7C90D9FE] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtReadVirtualMemory] [7C90D3FE] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtImpersonateClientOfPort] [7C929DA7] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!RtlImpersonateSelf] [7C90DF4E] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtWaitForSingleObject] [7C90DC8E] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtSetInformationObject] [7C90DCBE] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtSetInformationToken] [7C90D2AE] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtDuplicateToken] [7C91314C] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!RtlCopyLuid] [7C90D96E] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtQueryValueKey] [7C90D5CE] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\LSASRV.dll [ntdll.dll!NtOpenKey] [7C90D27E] D:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsarQueryInformationPolicy] [754088E1] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaIFree_LSAPR_POLICY_INFORMATION] [7540F3FE] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaIHealthCheck] [75416004] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaIGetBootOption] [75467D4E] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaISetBootOption] [75467C1F] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaIChangeSecretCipherKey] [7545EDAA] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaILookupWellKnownName] [7546ED57] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsarSetInformationPolicy] [7541853C] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaIRegisterPolicyChangeNotificationCallback] [7540EC5A] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaISafeMode] [75415BC2] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaISamIndicatedDsStarted] [7546E6C7] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaIQueryInformationPolicyTrusted] [75415B47] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaIAuditSamEvent] [754566B5] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaIAuditNotifyPackageLoad] [75415E6D] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaISetSerialNumberPolicy] [7546CC13] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaINotifyChangeNotification] [7541AE92] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsarClose] [7540759C] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaIOpenPolicyTrusted] [75415C04] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\WINDOWS\system32\lsass.exe[592] @ D:\WINDOWS\system32\SAMSRV.dll [LSASRV.dll!LsaIRegisterNotification] [75413C49] D:\WINDOWS\system32\LSASRV.dll (Biblioteka DLL serwera LSA/Microsoft Corporation) IAT D:\Program Files\Internet Explorer\IEXPLORE.EXE[2176] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] D:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG04.00.00.01SERVER 9147C7AD8E09892DB5D26A60F39333E43DC1CC61505BCF94064A649239751FFD26034E70C20CEA69F948ACF6CEEF62EDBC6815597268188F31A80F006661052B5D13A3638B6222B658947BAEF8568A469F738BB22623B470820A56AB94963AF4A15BB8D51A182C3CF172C8512DB7F8A4DE9043D64C82641BED310E3DEDAD8E0C7DD7414B830C0A9A0EB0C8608958FE351B0513642FD0E8690B77CD0F859655152213B57CC1F1BF631431F5101052731617A893ABF72989A595486F2FCC14FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E6678EDD5E5BE2F6E667FEBC9E127BECC74CA9C6AECB7A5D1407781F40B8BE1A4A1191B5BC62AE06358D7E7655C4EB7FAF8AEEEC903428503119CD88268BD909315334B426A9BA039E0874433342D1335E32AEB1D07E98D45C3C78AAB6ECA555B3228F6944456BA1DBD027E6F47308B36D6536506A7CA079F4B166DA8C2C540A55938459AC1A37AB3823062FC57163A313262787461C15DDB9DB8AE4E5ACDAE3FD90F17C959E5319E40D8462F7E9FAD9E8C72509EBE10FD84B75D987A565F3D27858423DDA603A1AF5F01AB97F1DACE36BF1D87A89E0EB703289CD76D2E09D7EF37BDC7DFD01AD10E386436275E118007DA0EF75F1C54C6256FA64D7983F1BBF84603390A132AD130B58007 ---- EOF - GMER 1.0.15 ----