GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-15 10:31:58 Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: tspx2j2j.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pxrdafoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8DA0C340, 0x3D7A87, 0xE8000020] C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl entry point in "" section [0xA3F3241C] .clc C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl unknown last code section [0xA3F33000, 0x1000, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[664] ntdll.dll!NtQueryDirectoryFile 77C88658 4 Bytes [68, 80, 21, 3F] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[664] ntdll.dll!NtQueryDirectoryFile + 5 77C8865D 1 Byte [C3] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[664] ntdll.dll!NtResumeThread 77C88A58 4 Bytes [68, B0, 26, 3F] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[664] ntdll.dll!NtResumeThread + 5 77C88A5D 1 Byte [C3] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[664] ntdll.dll!NtSetValueKey 77C88CF8 4 Bytes [68, 70, 29, 3F] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[664] ntdll.dll!NtSetValueKey + 5 77C88CFD 1 Byte [C3] .text C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE[664] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 003F2910; RET .text C:\Windows\system32\wbem\unsecapp.exe[800] ntdll.dll!NtQueryDirectoryFile 77C88658 4 Bytes [68, 80, 21, B2] .text C:\Windows\system32\wbem\unsecapp.exe[800] ntdll.dll!NtQueryDirectoryFile + 5 77C8865D 1 Byte [C3] .text C:\Windows\system32\wbem\unsecapp.exe[800] ntdll.dll!NtResumeThread 77C88A58 4 Bytes [68, B0, 26, B2] .text C:\Windows\system32\wbem\unsecapp.exe[800] ntdll.dll!NtResumeThread + 5 77C88A5D 1 Byte [C3] .text C:\Windows\system32\wbem\unsecapp.exe[800] ntdll.dll!NtSetValueKey 77C88CF8 4 Bytes [68, 70, 29, B2] .text C:\Windows\system32\wbem\unsecapp.exe[800] ntdll.dll!NtSetValueKey + 5 77C88CFD 1 Byte [C3] .text C:\Windows\system32\wbem\unsecapp.exe[800] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 00B22910; RET .text C:\Windows\system32\wbem\unsecapp.exe[800] WS2_32.dll!send 7657659B 6 Bytes PUSH 00B23A90; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[908] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 01742180; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[908] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 017426B0; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[908] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 01742970; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[908] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 01742910; RET .text C:\Windows\system32\taskeng.exe[1856] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 02732180; RET .text C:\Windows\system32\taskeng.exe[1856] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 027326B0; RET .text C:\Windows\system32\taskeng.exe[1856] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 02732970; RET .text C:\Windows\system32\taskeng.exe[1856] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 02732910; RET .text C:\Windows\system32\taskeng.exe[1856] WS2_32.dll!send 7657659B 6 Bytes PUSH 02733A90; RET .text C:\Windows\system32\Dwm.exe[1904] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 029B2180; RET .text C:\Windows\system32\Dwm.exe[1904] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 029B26B0; RET .text C:\Windows\system32\Dwm.exe[1904] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 029B2970; RET .text C:\Windows\system32\Dwm.exe[1904] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 029B2910; RET .text C:\Windows\system32\Dwm.exe[1904] WS2_32.dll!send 7657659B 6 Bytes PUSH 029B3A90; RET .text C:\Windows\Explorer.EXE[1996] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 04BC2180; RET .text C:\Windows\Explorer.EXE[1996] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 04BC26B0; RET .text C:\Windows\Explorer.EXE[1996] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 04BC2970; RET .text C:\Windows\Explorer.EXE[1996] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 04BC2910; RET .text C:\Windows\Explorer.EXE[1996] WS2_32.dll!send 7657659B 6 Bytes PUSH 04BC3A90; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[2140] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 01972180; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[2140] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 019726B0; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[2140] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 01972970; RET .text C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe[2140] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 01972910; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 016B2180; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 016B26B0; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 016B2970; RET .text C:\ProgramData\DatacardService\DCSHelper.exe[2352] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 016B2910; RET .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2480] ntdll.dll!NtQueryDirectoryFile 77C88658 4 Bytes [68, 80, 21, 15] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2480] ntdll.dll!NtQueryDirectoryFile + 5 77C8865D 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2480] ntdll.dll!NtResumeThread 77C88A58 4 Bytes [68, B0, 26, 15] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2480] ntdll.dll!NtResumeThread + 5 77C88A5D 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2480] ntdll.dll!NtSetValueKey 77C88CF8 4 Bytes [68, 70, 29, 15] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2480] ntdll.dll!NtSetValueKey + 5 77C88CFD 1 Byte [C3] .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2480] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 00152910; RET .text C:\Users\Mateusz\Desktop\tspx2j2j.exe[2480] WS2_32.dll!send 7657659B 6 Bytes PUSH 00153A90; RET .text C:\Windows\RtHDVCpl.exe[2608] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 021E2180; RET .text C:\Windows\RtHDVCpl.exe[2608] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 021E26B0; RET .text C:\Windows\RtHDVCpl.exe[2608] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 021E2970; RET .text C:\Windows\RtHDVCpl.exe[2608] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 021E2910; RET .text C:\Windows\RtHDVCpl.exe[2608] WS2_32.dll!send 7657659B 6 Bytes PUSH 021E3A90; RET .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2640] ntdll.dll!NtQueryDirectoryFile 77C88658 4 Bytes [68, 80, 21, 5A] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2640] ntdll.dll!NtQueryDirectoryFile + 5 77C8865D 1 Byte [C3] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2640] ntdll.dll!NtResumeThread 77C88A58 4 Bytes [68, B0, 26, 5A] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2640] ntdll.dll!NtResumeThread + 5 77C88A5D 1 Byte [C3] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2640] ntdll.dll!NtSetValueKey 77C88CF8 4 Bytes [68, 70, 29, 5A] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2640] ntdll.dll!NtSetValueKey + 5 77C88CFD 1 Byte [C3] .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2640] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 005A2910; RET .text C:\Program Files\Windows Media Player\wmpnscfg.exe[2640] WS2_32.dll!send 7657659B 6 Bytes PUSH 005A3A90; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[2784] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 051D2180; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[2784] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 051D26B0; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[2784] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 051D2970; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[2784] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 051D2910; RET .text C:\Program Files\Acer\Acer VCM\AcerVCM.exe[2784] WS2_32.dll!send 7657659B 6 Bytes PUSH 051D3A90; RET .text C:\Windows\PLFSetI.exe[3056] ntdll.dll!NtQueryDirectoryFile 77C88658 4 Bytes [68, 80, 21, 5E] .text C:\Windows\PLFSetI.exe[3056] ntdll.dll!NtQueryDirectoryFile + 5 77C8865D 1 Byte [C3] .text C:\Windows\PLFSetI.exe[3056] ntdll.dll!NtResumeThread 77C88A58 4 Bytes [68, B0, 26, 5E] .text C:\Windows\PLFSetI.exe[3056] ntdll.dll!NtResumeThread + 5 77C88A5D 1 Byte [C3] .text C:\Windows\PLFSetI.exe[3056] ntdll.dll!NtSetValueKey 77C88CF8 4 Bytes [68, 70, 29, 5E] .text C:\Windows\PLFSetI.exe[3056] ntdll.dll!NtSetValueKey + 5 77C88CFD 1 Byte [C3] .text C:\Windows\PLFSetI.exe[3056] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 005E2910; RET .text C:\Program Files\Launch Manager\LManager.exe[3132] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 026B2180; RET .text C:\Program Files\Launch Manager\LManager.exe[3132] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 026B26B0; RET .text C:\Program Files\Launch Manager\LManager.exe[3132] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 026B2970; RET .text C:\Program Files\Launch Manager\LManager.exe[3132] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 026B2910; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[3176] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 02D92180; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[3176] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 02D926B0; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[3176] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 02D92970; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[3176] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 02D92910; RET .text C:\Program Files\Acer\Empowering Technology\eAudio\eAudio.exe[3176] WS2_32.dll!send 7657659B 6 Bytes PUSH 02D93A90; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[3220] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 02A42180; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[3220] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 02A426B0; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[3220] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 02A42970; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[3220] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 02A42910; RET .text C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe[3220] WS2_32.dll!send 7657659B 6 Bytes PUSH 02A43A90; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3240] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 04B12180; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3240] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 04B126B0; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3240] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 04B12970; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3240] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 04B12910; RET .text C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC.exe[3240] WS2_32.dll!send 7657659B 6 Bytes PUSH 04B13A90; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3268] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 02282180; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3268] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 022826B0; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3268] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 02282970; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3268] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 02282910; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe[3268] ws2_32.dll!send 7657659B 6 Bytes PUSH 02283A90; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[3276] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 02702180; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[3276] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 027026B0; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[3276] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 02702970; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[3276] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 02702910; RET .text C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Kernel\CLML\CLMLSvc.exe[3276] WS2_32.dll!send 7657659B 6 Bytes PUSH 02703A90; RET .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3376] ntdll.dll!NtQueryDirectoryFile 77C88658 4 Bytes [68, 80, 21, F5] .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3376] ntdll.dll!NtQueryDirectoryFile + 5 77C8865D 1 Byte [C3] .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3376] ntdll.dll!NtResumeThread 77C88A58 4 Bytes [68, B0, 26, F5] .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3376] ntdll.dll!NtResumeThread + 5 77C88A5D 1 Byte [C3] .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3376] ntdll.dll!NtSetValueKey 77C88CF8 4 Bytes [68, 70, 29, F5] .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3376] ntdll.dll!NtSetValueKey + 5 77C88CFD 1 Byte [C3] .text C:\Program Files\AVG PC TuneUp 2014\TuneUpUtilitiesApp32.exe[3376] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 00F52910; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[3444] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 02342180; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[3444] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 023426B0; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[3444] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 02342970; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[3444] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 02342910; RET .text C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe[3444] ws2_32.dll!send 7657659B 6 Bytes PUSH 02343A90; RET .text C:\Windows\system32\conime.exe[3468] ntdll.dll!NtQueryDirectoryFile 77C88658 4 Bytes [68, 80, 21, 04] .text C:\Windows\system32\conime.exe[3468] ntdll.dll!NtQueryDirectoryFile + 5 77C8865D 1 Byte [C3] .text C:\Windows\system32\conime.exe[3468] ntdll.dll!NtResumeThread 77C88A58 4 Bytes [68, B0, 26, 04] .text C:\Windows\system32\conime.exe[3468] ntdll.dll!NtResumeThread + 5 77C88A5D 1 Byte [C3] .text C:\Windows\system32\conime.exe[3468] ntdll.dll!NtSetValueKey 77C88CF8 4 Bytes [68, 70, 29, 04] .text C:\Windows\system32\conime.exe[3468] ntdll.dll!NtSetValueKey + 5 77C88CFD 1 Byte [C3] .text C:\Windows\system32\conime.exe[3468] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 00042910; RET .text D:\programy\winamp\winampa.exe[3688] ntdll.dll!NtQueryDirectoryFile 77C88658 4 Bytes [68, 80, 21, 86] .text D:\programy\winamp\winampa.exe[3688] ntdll.dll!NtQueryDirectoryFile + 5 77C8865D 1 Byte [C3] .text D:\programy\winamp\winampa.exe[3688] ntdll.dll!NtResumeThread 77C88A58 4 Bytes [68, B0, 26, 86] .text D:\programy\winamp\winampa.exe[3688] ntdll.dll!NtResumeThread + 5 77C88A5D 1 Byte [C3] .text D:\programy\winamp\winampa.exe[3688] ntdll.dll!NtSetValueKey 77C88CF8 4 Bytes [68, 70, 29, 86] .text D:\programy\winamp\winampa.exe[3688] ntdll.dll!NtSetValueKey + 5 77C88CFD 1 Byte [C3] .text D:\programy\winamp\winampa.exe[3688] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 00862910; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3696] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 01972180; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3696] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 019726B0; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3696] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 01972970; RET .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3696] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 01972910; RET .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3704] ntdll.dll!NtQueryDirectoryFile 77C88658 4 Bytes [68, 80, 21, EA] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3704] ntdll.dll!NtQueryDirectoryFile + 5 77C8865D 1 Byte [C3] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3704] ntdll.dll!NtResumeThread 77C88A58 4 Bytes [68, B0, 26, EA] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3704] ntdll.dll!NtResumeThread + 5 77C88A5D 1 Byte [C3] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3704] ntdll.dll!NtSetValueKey 77C88CF8 4 Bytes [68, 70, 29, EA] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3704] ntdll.dll!NtSetValueKey + 5 77C88CFD 1 Byte [C3] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3704] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 00EA2910; RET .text C:\Windows\WindowsMobile\wmdSync.exe[3808] ntdll.dll!NtQueryDirectoryFile 77C88658 4 Bytes [68, 80, 21, 8F] .text C:\Windows\WindowsMobile\wmdSync.exe[3808] ntdll.dll!NtQueryDirectoryFile + 5 77C8865D 1 Byte [C3] .text C:\Windows\WindowsMobile\wmdSync.exe[3808] ntdll.dll!NtResumeThread 77C88A58 4 Bytes [68, B0, 26, 8F] .text C:\Windows\WindowsMobile\wmdSync.exe[3808] ntdll.dll!NtResumeThread + 5 77C88A5D 1 Byte [C3] .text C:\Windows\WindowsMobile\wmdSync.exe[3808] ntdll.dll!NtSetValueKey 77C88CF8 4 Bytes [68, 70, 29, 8F] .text C:\Windows\WindowsMobile\wmdSync.exe[3808] ntdll.dll!NtSetValueKey + 5 77C88CFD 1 Byte [C3] .text C:\Windows\WindowsMobile\wmdSync.exe[3808] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 008F2910; RET .text C:\Windows\WindowsMobile\wmdSync.exe[3808] WS2_32.dll!send 7657659B 6 Bytes PUSH 008F3A90; RET .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3840] ntdll.dll!NtQueryDirectoryFile 77C88658 4 Bytes [68, 80, 21, 2B] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3840] ntdll.dll!NtQueryDirectoryFile + 5 77C8865D 1 Byte [C3] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3840] ntdll.dll!NtResumeThread 77C88A58 4 Bytes [68, B0, 26, 2B] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3840] ntdll.dll!NtResumeThread + 5 77C88A5D 1 Byte [C3] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3840] ntdll.dll!NtSetValueKey 77C88CF8 4 Bytes [68, 70, 29, 2B] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3840] ntdll.dll!NtSetValueKey + 5 77C88CFD 1 Byte [C3] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3840] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 002B2910; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[3900] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 02822180; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[3900] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 028226B0; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[3900] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 02822970; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[3900] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 02822910; RET .text C:\Program Files\Windows Sidebar\sidebar.exe[3900] WS2_32.dll!send 7657659B 6 Bytes PUSH 02823A90; RET .text C:\Program Files\uTorrent\uTorrent.exe[3932] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 02BD2180; RET .text C:\Program Files\uTorrent\uTorrent.exe[3932] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 02BD26B0; RET .text C:\Program Files\uTorrent\uTorrent.exe[3932] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 02BD2970; RET .text C:\Program Files\uTorrent\uTorrent.exe[3932] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 02BD2910; RET .text C:\Program Files\uTorrent\uTorrent.exe[3932] WS2_32.dll!send 7657659B 6 Bytes PUSH 02BD3A90; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[3952] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 03322180; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[3952] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 033226B0; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[3952] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 03322970; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[3952] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 03322910; RET .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[3952] USER32.dll!IsZoomed + 80 775A0731 7 Bytes JMP 00735CF0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[3952] USER32.dll!GetClassLongW + 529 775A1EB5 7 Bytes JMP 00735C60 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[3952] USER32.dll!DdeUninitialize + 360 775C02A5 7 Bytes JMP 00735CD0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[3952] WS2_32.dll!send 7657659B 6 Bytes PUSH 03323A90; RET .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[4120] ntdll.dll!NtQueryDirectoryFile 77C88658 6 Bytes PUSH 016A2180; RET .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[4120] ntdll.dll!NtResumeThread 77C88A58 6 Bytes PUSH 016A26B0; RET .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[4120] ntdll.dll!NtSetValueKey 77C88CF8 6 Bytes PUSH 016A2970; RET .text C:\Users\Mateusz\AppData\Local\Temp\RtkBtMnt.exe[4120] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 016A2910; RET .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[5572] ntdll.dll!NtQueryDirectoryFile 77C88658 4 Bytes [68, 80, 21, 14] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[5572] ntdll.dll!NtQueryDirectoryFile + 5 77C8865D 1 Byte [C3] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[5572] ntdll.dll!NtResumeThread 77C88A58 4 Bytes [68, B0, 26, 14] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[5572] ntdll.dll!NtResumeThread + 5 77C88A5D 1 Byte [C3] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[5572] ntdll.dll!NtSetValueKey 77C88CF8 4 Bytes [68, 70, 29, 14] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[5572] ntdll.dll!NtSetValueKey + 5 77C88CFD 1 Byte [C3] .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[5572] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 00142910; RET .text C:\Program Files\Acer\Acer VCM\acp2HID.exe[5572] WS2_32.dll!send 7657659B 6 Bytes PUSH 00143A90; RET .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[6056] ntdll.dll!NtQueryDirectoryFile 77C88658 4 Bytes [68, 80, 21, 15] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[6056] ntdll.dll!NtQueryDirectoryFile + 5 77C8865D 1 Byte [C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[6056] ntdll.dll!NtResumeThread 77C88A58 4 Bytes [68, B0, 26, 15] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[6056] ntdll.dll!NtResumeThread + 5 77C88A5D 1 Byte [C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[6056] ntdll.dll!NtSetValueKey 77C88CF8 4 Bytes [68, 70, 29, 15] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[6056] ntdll.dll!NtSetValueKey + 5 77C88CFD 1 Byte [C3] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[6056] ntdll.dll!DbgUiRemoteBreakin 77CBD50C 7 Bytes PUSH 00152910; RET ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [749B8864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [749F9855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [749BB984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [749AFB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [749B7A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [749AEA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [749EB12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [749BBC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [749B0756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [749B06BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [749A71B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74A3D9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [749D7329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [749AE109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [749A697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [749A69A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[1996] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [749B2475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 84541D90 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----