GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-04 22:09:45 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9250410AS rev.0003HPM1 232,89GB Running: sh3ki0ii.exe; Driver: C:\DOCUME~1\user\USTAWI~1\Temp\uxtdapow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xAC7B1A9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xAC7B257A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xAC7F685D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xAC7BE5C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xAC7BE610] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xAC7BE7AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xAC7F6211] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xAC7BE532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xAC7BE654] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xAC7BE57A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xAC7B2AB0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xAC7BE764] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xAC7B3368] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xAC7B1B02] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xAC7F6F23] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xAC7F71D9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xAC7B6B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xAC7F6D8E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xAC7F6BF9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xAC7B16EE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xACAC767A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xAC7B1B68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xAC7B6F32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xAC7B3E50] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xAC7BE5EE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xAC7BE632] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xAC7BE7CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xAC7F656D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xAC7BE558] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xAC7B6436] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xAC7BE6E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xAC7BE5A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xAC7B681E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xAC7BE788] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xACAC741E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xAC7F6A74] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xAC7B3CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xAC7F68C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xAC7B381A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xACAD53D8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xAC7F5857] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xAC7B1BCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xAC7B1C34] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xAC7B31E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xAC7B1788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xAC7B195A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xAC7F702A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xAC7B18E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xAC7B3532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xAC7B3694] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xAC7B19E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xAC7B3020] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xAC7B31C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xAC7B1C9A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xAC7B25D6] INT 0x62 ? 8AB92CC8 INT 0x63 ? 8AB92CC8 INT 0x63 ? 8AB92CC8 INT 0x63 ? 8A803CC8 INT 0x63 ? 8A803CC8 INT 0x63 ? 8AB92CC8 INT 0x73 ? 8A803CC8 INT 0x82 ? 8AB92CC8 INT 0x84 ? 8A803CC8 INT 0x94 ? 8A803CC8 INT 0xA4 ? 8A803CC8 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2F10 8050479C 12 Bytes [CE, 1B, 7B, AC, 34, 1C, 7B, ...] {INTO ; SBB EDI, [EBX-0x54]; XOR AL, 0x1c; JNP 0xffffffb4; LOOP 0x3b; JNP 0xffffffb8} .text ntkrnlpa.exe!ZwCallbackReturn + 2FA8 80504834 4 Bytes CALL D8FCC351 .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504844 12 Bytes [32, 35, 7B, AC, 94, 36, 7B, ...] {XOR DH, [0x3694ac7b]; JNP 0xffffffb4; LOOP 0x23; JNP 0xffffffb8} PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A648C 4 Bytes CALL AC7B44FD \SystemRoot\system32\drivers\aswSnx.sys .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xB9F8D346] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB924E000, 0x1BDE76, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\Explorer.EXE[272] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[272] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[492] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[492] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[516] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[516] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\LSI SoftModem\agrsmsvc.exe[728] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\LSI SoftModem\agrsmsvc.exe[728] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[820] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[820] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[896] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[904] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[904] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[932] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[932] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[940] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[940] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[964] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[964] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[996] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[996] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1040] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1040] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1052] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1052] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\accelerometerST.exe[1112] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\accelerometerST.exe[1112] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1236] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1236] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1264] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1264] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1380] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1380] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1404] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[1432] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[1432] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[1432] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[1448] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[1448] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Messenger\msmsgs.exe[1464] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Messenger\msmsgs.exe[1464] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[1488] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[1488] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1504] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1504] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1532] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1532] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1548] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1548] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1676] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1676] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1752] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1752] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1752] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1780] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[1780] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1840] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1840] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[1868] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00321EB1 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1868] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[1868] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 001C03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[1868] KERNEL32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 0234B5B0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1868] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 0234B58D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1868] KERNEL32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 019C76E2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1868] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[1868] user32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 020E52E3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1868] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 0234B50E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\WiseEnhance\updateWiseEnhance.exe[1976] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\WiseEnhance\updateWiseEnhance.exe[1976] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Documents and Settings\user\Pulpit\sh3ki0ii.exe[2084] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Documents and Settings\user\Pulpit\sh3ki0ii.exe[2084] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\WiseEnhance\bin\utilWiseEnhance.exe[2368] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\WiseEnhance\bin\utilWiseEnhance.exe[2368] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[2708] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[2708] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2784] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2784] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3028] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3028] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3096] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3096] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[3348] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[3348] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3388] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3388] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe[3564] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe[3564] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3708] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe[3708] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[1040] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1040] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8AB4B1F8 AttachedDevice \Driver\Tcpip \Device\Ip {2c976a7f-dbdc-4756-870f-f6d183fe7a7e}Gt.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Wdf01000.sys Device \Driver\usbuhci \Device\USBPDO-0 8A7721F8 Device \Driver\usbuhci \Device\USBPDO-1 8A7721F8 Device \Driver\usbehci \Device\USBPDO-2 8A7F41F8 Device \Driver\usbuhci \Device\USBPDO-3 8A7721F8 Device \Driver\usbuhci \Device\USBPDO-4 8A7721F8 AttachedDevice \Driver\Tcpip \Device\Tcp {2c976a7f-dbdc-4756-870f-f6d183fe7a7e}Gt.sys Device \Driver\usbehci \Device\USBPDO-5 8A7F41F8 Device \Driver\usbuhci \Device\USBPDO-6 8A7721F8 Device \Driver\usbuhci \Device\USBPDO-7 8A7721F8 Device \Driver\Cdrom \Device\CdRom0 8A6F71F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9DDDB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [B9DDDB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9DDDB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9DDDB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9DDDB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 [B9DDDB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 89C001F8 Device \Driver\NetBT \Device\NetbiosSmb 89C001F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{9546C111-48B7-4CFA-994C-E713B79B81CA} 89C001F8 AttachedDevice \Driver\Tcpip \Device\Udp {2c976a7f-dbdc-4756-870f-f6d183fe7a7e}Gt.sys AttachedDevice \Driver\Tcpip \Device\RawIp {2c976a7f-dbdc-4756-870f-f6d183fe7a7e}Gt.sys Device \Driver\usbuhci \Device\USBFDO-0 8A7721F8 Device \Driver\usbuhci \Device\USBFDO-1 8A7721F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89BFD1F8 Device \Driver\usbuhci \Device\USBFDO-2 8A7721F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89BFD1F8 Device \Driver\usbehci \Device\USBFDO-3 8A7F41F8 Device \Driver\usbuhci \Device\USBFDO-4 8A7721F8 Device \Driver\usbuhci \Device\USBFDO-5 8A7721F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{D943668F-A2C8-4361-BB91-81E8F556EAE8} 89C001F8 Device \Driver\usbuhci \Device\USBFDO-6 8A7721F8 Device \Driver\usbehci \Device\USBFDO-7 8A7F41F8 Device \FileSystem\Cdfs \Cdfs 8A6BC430 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x37 0x7C 0x6F 0xD2 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x13 0x8E 0xB6 0x76 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x37 0x7C 0x6F 0xD2 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x37 0x7C 0x6F 0xD2 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x13 0x8E 0xB6 0x76 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x47 0xC6 0xB2 0x99 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2E 0xF9 0x29 0xBE ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD9 0x34 0x8A 0x73 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x13 0x8E 0xB6 0x76 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x47 0xC6 0xB2 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2E 0xF9 0x29 0xBE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD9 0x34 0x8A 0x73 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x13 0x8E 0xB6 0x76 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x47 0xC6 0xB2 0x99 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2E 0xF9 0x29 0xBE ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD9 0x34 0x8A 0x73 ... ---- EOF - GMER 2.1 ----