GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-04-08 20:40:25 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path1Target1Lun0 SAMSUNG_ rev.JF10 Running: govhgsz3.exe; Driver: C:\DOCUME~1\Nemesis\USTAWI~1\Temp\pxldqpow.sys ---- System - GMER 1.0.15 ---- SSDT F7A7A65E ZwCreateKey SSDT F7A7A654 ZwCreateThread SSDT F7A7A663 ZwDeleteKey SSDT F7A7A66D ZwDeleteValueKey SSDT F7A7A672 ZwLoadKey SSDT F7A7A640 ZwOpenProcess SSDT F7A7A645 ZwOpenThread SSDT F7A7A67C ZwReplaceKey SSDT F7A7A677 ZwRestoreKey SSDT F7A7A668 ZwSetValueKey ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF602D3A0, 0x5FE082, 0xE8000020] init C:\WINDOWS\system32\drivers\pvsum.sys entry point in "init" section [0xAB00B2E0] pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xAAC4AF00, 0x24000, 0x48000000] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\Explorer.EXE[180] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\WINDOWS\Explorer.EXE[180] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\WINDOWS\Explorer.EXE[180] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\WINDOWS\Explorer.EXE[180] ws2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\WINDOWS\Explorer.EXE[180] ws2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\WINDOWS\Explorer.EXE[180] ws2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\WINDOWS\Explorer.EXE[180] ws2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\WINDOWS\Explorer.EXE[180] ws2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\Program Files\Java\jre6\bin\jqs.exe[224] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\Program Files\Java\jre6\bin\jqs.exe[224] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\Program Files\Java\jre6\bin\jqs.exe[224] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\Program Files\Java\jre6\bin\jqs.exe[224] WS2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\Program Files\Java\jre6\bin\jqs.exe[224] WS2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\Program Files\Java\jre6\bin\jqs.exe[224] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\Program Files\Java\jre6\bin\jqs.exe[224] WS2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\Program Files\Java\jre6\bin\jqs.exe[224] WS2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\Program Files\Kilgray\memoQ40\AUClient.exe[268] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\Program Files\Kilgray\memoQ40\AUClient.exe[268] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\Program Files\Kilgray\memoQ40\AUClient.exe[268] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\Program Files\Kilgray\memoQ40\AUClient.exe[268] WS2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\Program Files\Kilgray\memoQ40\AUClient.exe[268] WS2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\Program Files\Kilgray\memoQ40\AUClient.exe[268] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\Program Files\Kilgray\memoQ40\AUClient.exe[268] WS2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\Program Files\Kilgray\memoQ40\AUClient.exe[268] WS2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\WINDOWS\RTHDCPL.EXE[512] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\WINDOWS\RTHDCPL.EXE[512] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\WINDOWS\RTHDCPL.EXE[512] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\WINDOWS\RTHDCPL.EXE[512] ws2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\WINDOWS\RTHDCPL.EXE[512] ws2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\WINDOWS\RTHDCPL.EXE[512] ws2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\WINDOWS\RTHDCPL.EXE[512] ws2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\WINDOWS\RTHDCPL.EXE[512] ws2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\WINDOWS\system32\taskswitch.exe[528] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\WINDOWS\system32\taskswitch.exe[528] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\WINDOWS\system32\taskswitch.exe[528] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\WINDOWS\system32\taskswitch.exe[528] ws2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\WINDOWS\system32\taskswitch.exe[528] ws2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\WINDOWS\system32\taskswitch.exe[528] ws2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\taskswitch.exe[528] ws2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\taskswitch.exe[528] ws2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text D:\Emulatory\PC\Windows\Parallels Workstation\PRLDHCP.exe[548] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text D:\Emulatory\PC\Windows\Parallels Workstation\PRLDHCP.exe[548] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text D:\Emulatory\PC\Windows\Parallels Workstation\PRLDHCP.exe[548] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text D:\Emulatory\PC\Windows\Parallels Workstation\PRLDHCP.exe[548] ws2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text D:\Emulatory\PC\Windows\Parallels Workstation\PRLDHCP.exe[548] ws2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text D:\Emulatory\PC\Windows\Parallels Workstation\PRLDHCP.exe[548] ws2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text D:\Emulatory\PC\Windows\Parallels Workstation\PRLDHCP.exe[548] ws2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text D:\Emulatory\PC\Windows\Parallels Workstation\PRLDHCP.exe[548] ws2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[572] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[572] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[572] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[572] ws2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[572] ws2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[572] ws2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[572] ws2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\Program Files\Avira\AntiVir Desktop\avshadow.exe[572] ws2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\WINDOWS\system32\ctfmon.exe[628] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\WINDOWS\system32\ctfmon.exe[628] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\WINDOWS\system32\ctfmon.exe[628] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\WINDOWS\system32\ctfmon.exe[628] ws2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\WINDOWS\system32\ctfmon.exe[628] ws2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\WINDOWS\system32\ctfmon.exe[628] ws2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\ctfmon.exe[628] ws2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\ctfmon.exe[628] ws2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\WINDOWS\system32\winlogon.exe[736] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\WINDOWS\system32\winlogon.exe[736] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\WINDOWS\system32\services.exe[784] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\WINDOWS\system32\services.exe[784] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\WINDOWS\system32\services.exe[784] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\WINDOWS\system32\services.exe[784] ws2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\WINDOWS\system32\services.exe[784] ws2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\WINDOWS\system32\services.exe[784] ws2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\services.exe[784] ws2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\services.exe[784] ws2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\WINDOWS\system32\lsass.exe[796] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\WINDOWS\system32\lsass.exe[796] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\WINDOWS\system32\lsass.exe[796] WS2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\WINDOWS\system32\lsass.exe[796] WS2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\WINDOWS\system32\lsass.exe[796] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\lsass.exe[796] WS2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\lsass.exe[796] WS2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\WINDOWS\system32\nvsvc32.exe[968] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\WINDOWS\system32\nvsvc32.exe[968] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\WINDOWS\system32\nvsvc32.exe[968] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\WINDOWS\system32\nvsvc32.exe[968] ws2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\WINDOWS\system32\nvsvc32.exe[968] ws2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\WINDOWS\system32\nvsvc32.exe[968] ws2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\nvsvc32.exe[968] ws2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\nvsvc32.exe[968] ws2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\WINDOWS\system32\svchost.exe[1020] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\WINDOWS\system32\svchost.exe[1020] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\WINDOWS\system32\svchost.exe[1020] ws2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\WINDOWS\system32\svchost.exe[1020] ws2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\WINDOWS\system32\svchost.exe[1020] ws2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\svchost.exe[1020] ws2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\svchost.exe[1020] ws2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1136] ntdll.dll!NtAllocateVirtualMemory 7C90D4DE 5 Bytes JMP 0050ED30 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1136] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 005266C0 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe (COMODO Internet Security/COMODO) .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1136] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1136] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1136] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1136] WS2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1136] WS2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1136] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1136] WS2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1136] WS2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\WINDOWS\system32\svchost.exe[1168] ws2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\WINDOWS\system32\svchost.exe[1168] ws2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\WINDOWS\system32\svchost.exe[1168] ws2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\svchost.exe[1168] ws2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\svchost.exe[1168] ws2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\WINDOWS\system32\vmnat.exe[1340] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\WINDOWS\system32\vmnat.exe[1340] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\WINDOWS\system32\vmnat.exe[1340] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\WINDOWS\system32\vmnat.exe[1340] WS2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\WINDOWS\system32\vmnat.exe[1340] WS2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\WINDOWS\system32\vmnat.exe[1340] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\vmnat.exe[1340] WS2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\vmnat.exe[1340] WS2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text D:\Emulatory\PC\Windows\VMWare Workstation\vmware-authd.exe[1444] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 100F3DF8 .text D:\Emulatory\PC\Windows\VMWare Workstation\vmware-authd.exe[1444] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 100F3C40 .text D:\Emulatory\PC\Windows\VMWare Workstation\vmware-authd.exe[1444] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 100F3E7C .text D:\Emulatory\PC\Windows\VMWare Workstation\vmware-authd.exe[1444] WS2_32.dll!connect 71A5406A 5 Bytes JMP 100F3AF4 .text D:\Emulatory\PC\Windows\VMWare Workstation\vmware-authd.exe[1444] WS2_32.dll!send 71A5428A 5 Bytes JMP 100F3268 .text D:\Emulatory\PC\Windows\VMWare Workstation\vmware-authd.exe[1444] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 100F27F4 .text D:\Emulatory\PC\Windows\VMWare Workstation\vmware-authd.exe[1444] WS2_32.dll!recv 71A5615A 5 Bytes JMP 100F2788 .text D:\Emulatory\PC\Windows\VMWare Workstation\vmware-authd.exe[1444] WS2_32.dll!WSASend 71A56233 5 Bytes JMP 100F3AA0 .text C:\WINDOWS\system32\spoolsv.exe[1644] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\WINDOWS\system32\spoolsv.exe[1644] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\WINDOWS\system32\spoolsv.exe[1644] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\WINDOWS\system32\spoolsv.exe[1644] ws2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\WINDOWS\system32\spoolsv.exe[1644] ws2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\WINDOWS\system32\spoolsv.exe[1644] ws2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\WINDOWS\system32\spoolsv.exe[1644] ws2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\WINDOWS\system32\spoolsv.exe[1644] ws2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1704] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1704] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1704] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1704] WS2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1704] WS2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1704] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1704] WS2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1704] WS2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1864] ntdll.dll!NtOpenKey 7C90DD3C 5 Bytes JMP 10003DF8 .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1864] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10003C40 .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1864] kernel32.dll!ExitProcess 7C81CA82 5 Bytes JMP 10003E7C .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1864] ws2_32.dll!connect 71A5406A 5 Bytes JMP 10003AF4 .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1864] ws2_32.dll!send 71A5428A 5 Bytes JMP 10003268 .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1864] ws2_32.dll!WSARecv 71A54318 5 Bytes JMP 100027F4 .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1864] ws2_32.dll!recv 71A5615A 5 Bytes JMP 10002788 .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[1864] ws2_32.dll!WSASend 71A56233 5 Bytes JMP 10003AA0 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F71BA750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F71BA820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F71BA7F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F71BA7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F71BA7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F71BA820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F71BA750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F71BA7F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F71BA7F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F71BA7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F71BA820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F71BA750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F71BA7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F71BA750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F71BA820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F71BA7F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F71BA750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F71BA820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F71BA7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F71BA7F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F71BA7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F71BA820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F71BA750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F71BA7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F71BA7F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F71BA750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F71BA820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisRegisterProtocol] [F71BA7B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisOpenAdapter] [F71BA820] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisDeregisterProtocol] [F71BA7F0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) IAT \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisCloseAdapter] [F71BA750] inspect.sys (COMODO Internet Security Firewall Driver/COMODO) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.) Device \Driver\usbohci \Device\USBPDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbehci \Device\USBPDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) Device \Driver\usbhub \Device\USBPDO-6 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbhub \Device\00000073 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbhub \Device\00000075 hcmon.sys (VMware USB monitor/VMware, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO) Device \Driver\usbohci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.) Device \Driver\usbehci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8B 0x12 0x26 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x60 0xEE 0x24 0x05 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x5B 0x62 0xCF 0x23 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x66 0x3E 0x67 0xDB ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8B 0x12 0x26 0xFB ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x60 0xEE 0x24 0x05 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x5B 0x62 0xCF 0x23 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x66 0x3E 0x67 0xDB ... ---- EOF - GMER 1.0.15 ----