GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-10-10 14:44:21 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 WDC_WD2500BEVS-60UST0 rev.01.01A01 232,89GB Running: m57g1hli.exe; Driver: C:\Users\Zwierz\AppData\Local\Temp\kwdiypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xCB2DBBA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xCB2DC684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xCB2E86F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xCB2E8744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xCB2E88DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xCB2E8666] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0xCB392DF0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xCB2E86AE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0xCB393080] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xCB2E8898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xCB2DD472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xCB2DBC0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xCB2E0C68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xCB2DB7F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xCB392ED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xCB2DBC72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xCB2E105E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xCB2DDF5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xCB2E8722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xCB2E8766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xCB2E8902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xCB2E868C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xCB2E0560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xCB2E8816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xCB2E86D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xCB2E094C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xCB2E88BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xCB392C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xCB2DDDCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xCB2DD924] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xCB2DBCD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xCB2DBD3E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0xCB392FCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xCB2DB892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xCB2DBA64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xCB2DB9F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xCB2DD63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xCB2DD79E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xCB2DBAEC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0xCB392D3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xCB2DD2CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xCB2DBDA4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0xCB392BA0] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0xCB39316A] INT 0x51 ? C2C1E050 INT 0x52 ? C4CD0CD0 INT 0x53 ? C3CDD2D0 INT 0x61 ? C44942D0 INT 0x62 ? C2C1E2D0 INT 0x63 ? C3CDD550 INT 0x71 ? C4494550 INT 0x72 ? C2C1E550 INT 0x73 ? C44947D0 INT 0x74 ? C4494050 INT 0x84 ? C2C1E7D0 INT 0x94 ? C3CDDCD0 INT 0xA4 ? C3CDDA50 INT 0xB1 ? C2C1ECD0 INT 0xB4 ? C3CDD7D0 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 10D E26C57D0 4 Bytes [A6, BB, 2D, CB] .text ntkrnlpa.exe!KeSetEvent + 191 E26C5854 4 Bytes [84, C6, 2D, CB] .text ntkrnlpa.exe!KeSetEvent + 1D1 E26C5894 8 Bytes [F8, 86, 2E, CB, 44, 87, 2E, ...] {CLC ; XCHG [ESI], CH; RETF ; INC ESP; XCHG [ESI], EBP; RETF } .text ntkrnlpa.exe!KeSetEvent + 1DD E26C58A0 4 Bytes [DE, 88, 2E, CB] .text ntkrnlpa.exe!KeSetEvent + 1F5 E26C58B8 4 Bytes [66, 86, 2E, CB] {XCHG [ESI], CH; RETF } .text ... ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\svchost.exe[156] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe[192] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[396] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Windows\System32\svchost.exe[504] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ntdll.dll!NtQueryInformationProcess 76F84CC4 5 Bytes JMP 0146A3D0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] kernel32.dll!IsDebuggerPresent 7680EFE7 6 Bytes JMP 0150C040 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] kernel32.dll!DeviceIoControl 768150EF 7 Bytes JMP 0146A710 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] kernel32.dll!CreateFileW 7683B0CB 5 Bytes JMP 0146A5F0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] kernel32.dll!CreateFileA 7683D05F 5 Bytes JMP 0146A480 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] USER32.dll!ChangeDisplaySettingsExA 75666FE7 5 Bytes JMP 01472AD0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] USER32.dll!ChangeDisplaySettingsExW 756AA9E4 5 Bytes JMP 01472B00 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegFlushKey 7581CDEB 7 Bytes JMP 01405170 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegDeleteKeyA 75831C8C 5 Bytes JMP 01405220 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegQueryInfoKeyA 7583297F 7 Bytes JMP 01405440 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegDeleteValueA 75832F59 7 Bytes JMP 01405280 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegQueryValueA 758330C8 7 Bytes JMP 014054A0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegDeleteKeyW 758338CD 7 Bytes JMP 01405250 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegCreateKeyExA 758339AB 5 Bytes JMP 014051E0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegCreateKeyA 75833BA9 5 Bytes JMP 014051A0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegSetValueExA 75833BEC 7 Bytes JMP 014055C0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegDeleteValueW 75833FB6 7 Bytes JMP 014052B0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegOpenKeyA 758389C7 5 Bytes JMP 014053A0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegEnumValueA 75838A0B 7 Bytes JMP 01405340 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegEnumValueW 75839850 7 Bytes JMP 01405370 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegEnumKeyExA 758428D2 5 Bytes JMP 014052E0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegQueryValueW 758432D4 7 Bytes JMP 014054D0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegCreateKeyW 7584391E 5 Bytes JMP 014051C0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegSetValueExW 75843D5A 7 Bytes JMP 014055F0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegCreateKeyExW 758441F1 5 Bytes JMP 01405200 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegQueryInfoKeyW 758448B4 7 Bytes JMP 01405470 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegQueryValueExA 75847A9D 7 Bytes JMP 01405500 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegOpenKeyExA 75847C42 5 Bytes JMP 014053E0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegOpenKeyW 7584E2B5 5 Bytes JMP 014053C0 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegQueryValueExW 7585765E 7 Bytes JMP 01405530 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegCloseKey 75857908 7 Bytes JMP 01405140 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegOpenKeyExW 75857BA1 5 Bytes JMP 01405410 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegEnumKeyExW 75857F52 7 Bytes JMP 01405310 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegSetValueW 7585B3E4 5 Bytes JMP 01405590 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ADVAPI32.dll!RegSetValueA 75895811 5 Bytes JMP 01405560 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe[540] ole32.dll!CoCreateInstance 76E29F3E 5 Bytes JMP 01405720 C:\Program Files\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe .text C:\Windows\system32\csrss.exe[600] KERNEL32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Windows\system32\svchost.exe[648] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Windows\system32\wininit.exe[652] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Windows\system32\csrss.exe[660] KERNEL32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Windows\system32\services.exe[696] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1488] kernel32.dll!SetUnhandledExceptionFilter 7681A8B5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1488] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Windows\system32\WLANExt.exe[1532] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1672] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Program Files\DigitalPersona\Bin\DpHostW.exe[1700] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Windows\system32\svchost.exe[1760] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text ... .text C:\Program Files\Opera\opera.exe[3152] ntdll.dll!LdrLoadDll 76F49378 5 Bytes JMP 000601F8 .text C:\Program Files\Opera\opera.exe[3152] ntdll.dll!LdrUnloadDll 76F5B680 5 Bytes JMP 000603FC .text C:\Program Files\Opera\opera.exe[3152] KERNEL32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Windows\system32\wbem\unsecapp.exe[3188] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Windows\system32\Dwm.exe[3224] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[3256] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Windows\Explorer.EXE[3268] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\avastui.exe[3644] kernel32.dll!SetUnhandledExceptionFilter 7681A8B5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[3644] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Windows\System32\mobsync.exe[3804] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe[3828] KERNEL32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[3936] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3956] kernel32.dll!GetBinaryTypeW + 70 76842447 1 Byte [62] .text ... ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [738A7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [738EB4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [738ABB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [7389F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [738A75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [7389E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [738D73F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [738ADA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [7389FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [7389FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [738971CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [7392CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [738CC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [7389D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [73896853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [7389687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.exe[2060] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [738A2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [738A7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [738EB4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [738ABB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7389F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [738A75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7389E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [738D73F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [738ADA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7389FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7389FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [738971CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7392CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [738CC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7389D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73896853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7389687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll IAT C:\Windows\Explorer.EXE[3268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [738A2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp aswTdi.sys AttachedDevice \Driver\tdx \Device\Udp aswTdi.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x37 0x15 0x01 0x81 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x15 0x06 0x14 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD9 0x2B 0xBC 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xA0 0xA4 0x73 0xB3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xB5 0x84 0xE3 0xA1 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x37 0x15 0x01 0x81 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x15 0x06 0x14 0xD6 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@d0 1 Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD9 0x2B 0xBC 0x80 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xA0 0xA4 0x73 0xB3 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xB5 0x84 0xE3 0xA1 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----